b'January 2006\nReport No. 06-005\n\n\nFDIC Safeguards Over Personal\nEmployee Information\n\n\n\n\n        EVALUATION REPORT\n\n             eral\n\x0c                                                                                                       Report No. 06-005\n                                                                                                          January 2006\n\n                                   FDIC Safeguards Over Personal Employee Information\n\n                                   Results of Evaluation\n\n                                   The FDIC has a corporate-wide program for protecting personal employee information,\n                                   has appointed a Chief Privacy Officer (CPO) with responsibility for privacy and data\n                                   protection policy, and is making efforts to enhance its privacy program in response to\n                                   legislative requirements and breaches of FDIC employee information. The following table\nBackground and                     presents programmatic initiatives and notable physical and electronic safeguards over\nPurpose of Evaluation              personal employee information that the FDIC has in place or underway.\n\nThe Federal Trade                                      Initiatives In Place or Underway\nCommission defines identity\n                                   Privacy       \xe2\x80\xa2   The Legal Division is updating required system of records notices (SORN).\ntheft as \xe2\x80\x9ca fraud that is          Program       \xe2\x80\xa2   The Legal Division documented required privacy reviews.\ncommitted or attempted, using                    \xe2\x80\xa2   The CPO developed a Privacy Web site.\na person\xe2\x80\x99s identifying                           \xe2\x80\xa2   The CPO has developed and implemented privacy awareness training courses.\ninformation without\npermission.\xe2\x80\x9d Identity theft is     Physical      \xe2\x80\xa2 Human Resources Branch (HRB) operations and files containing Social Security\n                                   Safeguards      Numbers (SSNs) are housed in limited-access, secured office space.\none of the fastest growing\n                                                 \xe2\x80\xa2 HRB employees are required to encrypt all internal and external transmissions\ncrimes in the country and has\n                                                   containing sensitive information.\ninvolved private sector and                      \xe2\x80\xa2 HRB has eliminated SSNs from most standard reports, including staffing tables.\nfederal agency information.                      \xe2\x80\xa2 Records Management has eliminated SSNs from most FDIC forms.\n                                                 \xe2\x80\xa2 HRB has installed personal shredders for all HRB staff, and the Corporation has\nThe FDIC is no exception and                       installed secured shredding bins in all FDIC Headquarters offices.\nhas experienced several\nbreaches involving personal\n                                   Electronic   \xe2\x80\xa2 The Division of Information Technology (DIT) completed required information\n                                   Safeguards     security procedures for the FDIC\xe2\x80\x99s human resources and accounting systems.\nemployee information. For\n                                                \xe2\x80\xa2 DIT conducted a review of FDIC applications to identify those containing SSNs.\nexample, a security breach                      \xe2\x80\xa2 DIT conducted a corporate-wide survey to collect information about electronic\nidentified in 2005 involved                       and hardcopy sources of data containing SSNs.\nunauthorized access to                          \xe2\x80\xa2 DIT completed Privacy Impact Assessments for 27 systems containing SSNs.\npersonal information for a large                \xe2\x80\xa2 DOA and the Division of Finance (DOF) have reviewed user access levels for\nnumber of current and former                      the FDIC\xe2\x80\x99s human resources and accounting systems.\nFDIC employees.                                 \xe2\x80\xa2 FDIC human resources and accounting systems use employee identification\n                                                  numbers instead of SSNs.\nAmong other things, the            Source: OIG Analysis.\nPrivacy Act of 1974 requires\nfederal agencies to limit the      We identified opportunities for the FDIC to strengthen its privacy program for protecting\ncollection, disclosure, and use    personal employee information, including:\nof personal information\nmaintained in systems of           \xe2\x80\xa2 Developing an overarching privacy policy to ensure coordination between the CPO\nrecords and to establish             and Privacy Act Clearance Officer and updating SORNs pertaining to employee\nreasonable safeguards over           information, especially information maintained by contractors.\nthose records.                     \xe2\x80\xa2 Ensuring that contracts, for which the scope requires contractors to maintain personal\n                                     employee information, contain adequate references to the Privacy Act, appropriate\nIn July 2005, the Director,          confidentiality clauses, and signed confidentiality agreements.\nDivision of Administration         \xe2\x80\xa2 Conducting some form of security review or obtaining assurances through third-party\n(DOA), requested that we             security reviews for contractors and vendors that maintain personal employee\nperform an evaluation of this        information in electronic form.\narea. Our objective was to\nevaluate the FDIC\xe2\x80\x99s policies,      These additional controls will help to ensure that the FDIC complies fully with privacy-\nprocedures, and practices for      related legislation and regulations; identifies personal employee information maintained\nsafeguarding personal              by the FDIC and its contractors that needs to be protected; and implements sufficient\nemployee information in            administrative, physical, and technical controls over such information.\nhardcopy and electronic form.\n                                   Recommendations and Management Response\n\nTo view the full report, go to     We made 15 recommendations to strengthen the FDIC\xe2\x80\x99s privacy program. The\nwww.fdicig.gov/2006reports.asp     Corporation generally concurred with our report and agreed to take corrective action on\n                                   12 recommendations. The FDIC indicated, and we concur, that actions taken and/or\n                                   controls in place were sufficient to address the remaining three recommendations.\n\x0c                               TABLE OF CONTENTS\nBACKGROUND                                                                                  1\n\nEVALUATION RESULTS                                                                          2\n\nFDIC\xe2\x80\x99S PRIVACY PROGRAM                                                                      3\n\n     Chief Privacy Officer Brought Renewed Focus to Corporate Privacy Program               3\n\nAREAS FOR IMPROVEMENT \xe2\x80\x93 PRIVACY PROGRAM                                                     6\n\n     Overarching Privacy Policy Needed to Coordinate CPO and Traditional Privacy Act        6\n     Responsibilities\n\n     The FDIC Needs to Update and Republish the UPS SORN and Revise Other SORNs             8\n\n     Recommendations                                                                        11\n\nFDIC PRACTICES AND INITIATIVES TO PHYSICALLY SAFEGUARD PERSONAL                             12\nINFORMATION\n\n     The FDIC Has Established Practices and Initiatives for Safeguarding Personal           13\n     Employee Information\nAREAS FOR IMPROVEMENT \xe2\x80\x93 PHYSICAL SAFEGUARDS                                                 15\n\n     Contracts Did Not Always Contain Privacy Act References, Confidentiality Clauses, or   15\n     Signed Confidentiality Agreements\n\n     Safeguards Over OPFs Were Less Stringent in Regional Offices, and DOA Continues        18\n     to Maintain Unofficial Personnel Files\n\n     Student Interns Continue to Have Access to Personal Employee Information               20\n\n     Mentoring Contractor Is Being Provided SSNs Without a Business Need                    21\n\n     Recommendations                                                                        22\n\nFDIC PRACTICES AND INITIATIVES FOR SAFEGUARDING ELECTRONIC PERSONAL                         23\nINFORMATION\n\n     The FDIC Has Taken Proactive Steps to Identify Systems Containing SSNs                 23\n\n     The FDIC Completed Privacy Impact Assessments for Systems                              24\n     Identified as Containing SSNs\n\n     FDIC Human Resources and Accounting Systems Limit the Use of SSNs                      26\n\n\nAREAS FOR IMPROVEMENT \xe2\x80\x93 ELECTRONIC SAFEGUARDS                                               27\n\n     Opportunities May Exist to Strengthen Document-Level Controls Over Electronic          27\n     Documents Containing Privacy Act or Sensitive Information\n\x0c      The FDIC Needs to Require Some Form of Third-Party Security Review for Contractors    28\n      and Vendors That Maintain Personal Employee Information in Electronic Form\n\n      Recommendations                                                                       31\n\nMATTERS FOR FURTHER CONSIDERATION                                                           32\n\n      Additional Initiatives Could Be Considered for Increasing Controls for Safeguarding   32\n      Personal Employee Information\nCORPORATION COMMENTS AND OIG EVALUATION                                                     34\n\nAPPENDIX I: Objective, Scope, and Methodology                                               36\nAPPENDIX II: Overview of Applicable Laws and Regulations Related to Privacy                 38\nAPPENDIX III: Responsibilities of the Chief Privacy Officer                                 39\nAPPENDIX IV: Definitions for Privacy Act and Other Forms of Sensitive Information           40\nAPPENDIX V: FDIC Systems of Records Containing Personal Employee Information                41\nAPPENDIX VI: Types of Information Maintained in the Unofficial Personnel System SORN        42\nAPPENDIX VII: Corporation Comments                                                          43\nAPPENDIX VIII: Management Response to Recommendations                                       52\n\n\nTABLES:\nTable 1: FDIC Privacy Program Initiatives                                                   5\nTable 2: OIG Observations Regarding the UPS Notice                                          9\nTable 3: DOA and DOF Sources and Uses of Personal Employee Information                      12\nTable 4: DOA and DOF Contracts Involving Personal Employee Information                      15\nTable 5: OPF File Room Practices and OIG Observations                                       19\nTable 6: OIG Review of Selected PIAs                                                        25\nTable 7: AICPA/CICA Trust Services Principles and Criteria                                  30\n\x0c                                   Acronyms\n\nAICPA   American Institute of Certified Public Accountants\nAO      Administrative Officer\nAPM     Acquisition Policy Manual\nARMS    Automated Records Management System\nASB     Acquisition Services Branch\nBAS     Benefits Allocation System\nCDSSC   Corporate Data Sharing Steering Committee\nCHRIS   Corporate Human Resources Information System\nCICA    Canadian Institute of Chartered Accountants\nCIO     Chief Information Officer\nCO      Contracting Officer\nCOTS    Commercial-off-the-Shelf\nCPO     Chief Privacy Officer\nCTAW    Corporate Time and Attendance Worksheet\nCU      Corporate University\nCWG     Collaborative Working Group\nDIT     Division of Information Technology\nDMB     Delivery Management Branch\nDOA     Division of Administration\nDOF     Division of Finance\nDOI     Division of Insurance\nDSC     Division of Supervision and Consumer Protection\nEAB     Enterprise Architecture Board\nEIN     Employee Identification Number\nETVPS   Electronic Travel Voucher Processing System\nFISMA   Federal Information Security Management Act\nFOIA    Freedom of Information Act\nFTC     Federal Trade Commission\nHRB     Human Resources Branch\nIRS     Internal Revenue Service\nISS     Information Security Staff\nIT      Information Technology\nNFC     National Finance Center\nNFE     New Financial Environment\nNPRC    National Public Records Center\nOIG     Office of Inspector General\nOMB     Office of Management and Budget\nOPF     Official Personnel Folder\nOPM     Office of Personnel Management\nPIA     Privacy Impact Assessment\nRMS     Rights Management Services\n\x0cSMS    Security Management Section\nSORN   System of Records Notice\nSOW    Statement of Work\nSSN    Social Security Number\nT&A    Time and Attendance\nTIN    Tax Identification Number\nUPF    Unofficial Personnel File\nUPS    Unofficial Personnel System\n\x0cFederal Deposit Insurance Corporation                                                                         Office of Audits\n801 17th Street NW, Washington, DC 20434                                                         Office of Inspector General\n\n\n\nDATE:                                  January 6, 2006\n\nMEMORANDUM TO:                         Douglas H. Jones\n                                       Acting General Counsel\n\n                                       Michael E. Bartell,\n                                       Chief Information Officer and\n                                       Director, Division of Information Technology\n\n                                       Arleas Upton Kea\n                                       Director, Division of Administration\n\n\n\nFROM:                                  Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                       Assistant Inspector General for Audits\n\nSUBJECT:                               FDIC Safeguards Over Personal Employee Information\n                                       (Report No. 06-005)\n\nIn response to a security breach involving unauthorized access to personal employee\ninformation on a large number of current and former FDIC employees, the Director, Division of\nAdministration (DOA) requested that we evaluate the FDIC\xe2\x80\x99s safeguards over personal\nemployee information. For purposes of this review, we defined personal employee information\nto be information in an identifiable form, including an employee\xe2\x80\x99s name, home address, and\nsocial security number (SSN).1 We focused our work on safeguards over SSNs because the\nsecurity breach involved the unauthorized access and misuse of SSNs. The objective of our\nreview was to evaluate the FDIC\xe2\x80\x99s policies, procedures, and practices for safeguarding personal\nemployee information in hardcopy and electronic form. Additional details on our objective,\nscope, and methodology are provided in Appendix I of this report.\n\nBACKGROUND\nThe Federal Trade Commission (FTC) defines identity theft as \xe2\x80\x9ca fraud that is committed or\nattempted, using a person\xe2\x80\x99s identifying information without permission.\xe2\x80\x9d Between January and\nDecember 2004, Consumer Sentinel, the complaint database developed and maintained by the\nFTC, received over 635,000 consumer fraud and identity theft complaints. Consumers reported\nlosses from fraud of more than $547 million.\n\nIn March 2005, the Office of Inspector General (OIG) notified the FDIC that a small number of\ncurrent and former FDIC employees were apparent victims of fraud. In June 2005, the FDIC\nbecame aware that as a result of the apparent fraud, personal employee information for all FDIC\nemployees in an official pay status as of July 2002 had been compromised. The FDIC promptly\nnotified all current and former employees in pay status as of July 2002 of the compromise.\n\n1\n  The Office of Management and Budget (OMB) defines \xe2\x80\x9cinformation in an identifiable form\xe2\x80\x9d as information in a\nsystem or on-line collection that directly identifies an individual (e.g., name, address, SSN or other identifying code,\ntelephone number, e-mail address, etc.) or by which an agency intends to identify specific individuals in conjunction\nwith other data elements.\n\n\n\n\n                                                            1\n\x0cThe Privacy Act of 1974 is the primary statute that regulates the federal government\xe2\x80\x99s uses of\npersonal information. The Privacy Act has been augmented by a number of other laws and\nregulations, including the E-Government Act of 2002, Section 208(e); the Federal Information\nSecurity Management Act of 2002 (FISMA); Section 522 of the Transportation, Treasury,\nIndependent Agencies, and General Government Appropriations Act, 20052 (referred to as\nSection 522 for purposes of this report); and OMB Circular No. A-130, Management of Federal\nInformation Resources, Appendix I, Federal Agency Responsibilities for Maintaining Records\nAbout Individuals (OMB Circular A-130, Appendix I). These laws and regulations have required\ngovernment agencies to enhance and report on their privacy programs. Appendix II lists and\ndescribes the laws and regulations applicable to privacy.\n\nThe FDIC has had a privacy program since the inception of the Privacy Act. The FDIC Legal\nDivision\xe2\x80\x99s Freedom of Information Act-Privacy Act Group (FOIA-PA Group) has responsibility for\ncorporate-wide compliance with the Privacy Act. Under the Privacy Act, the FDIC is responsible\nfor:\n\n\xe2\x80\xa2   Maintaining in its systems of records3 only such information necessary and relevant to a\n    function that the Corporation is required to perform either by statute or by executive order of\n    the President.\n\xe2\x80\xa2   Ensuring that no records are maintained describing how an individual exercises rights\n    guaranteed by the First Amendment.\n\xe2\x80\xa2   Preparing and publishing a public notice of the establishment or revision of a system of\n    records in the Federal Register, known as a System of Records Notice (SORN).\n\xe2\x80\xa2   Supplying a \xe2\x80\x9cPrivacy Act Notice\xe2\x80\x9d to each individual from whom the Corporation collects\n    information that informs the individual of the authority for the solicitation of information;\n    whether disclosure of the information is mandatory or voluntary; the principal purposes for\n    which the information will be used; the routine uses to be made of the information; and the\n    effects, if any, of not supplying all or part of the information.\n\xe2\x80\xa2   Establishing reasonable administrative, technical, and physical safeguards to assure that\n    records are disclosed only to those who are authorized to have access.\n\xe2\x80\xa2   Ensuring that all records maintained are accurate, relevant, timely, and complete.\n\nEVALUATION RESULTS\n\nThe FDIC has a corporate-wide program for protecting personal employee information, has\nappointed a Chief Privacy Officer (CPO) with responsibility for privacy and data protection\npolicy, and is making efforts to enhance its privacy program in response to legislative\nrequirements and breaches of FDIC employee information.\n\nHowever, we identified opportunities for the FDIC to strengthen its privacy program for\nprotecting personal employee information. These additional enhancements will help to ensure\nthat the FDIC: complies fully with privacy-related legislation and regulations; identifies personal\nemployee information maintained by the FDIC and its contractors that needs to be protected;\nand implements sufficient administrative, physical, and technical controls over such information.\n\n\n\n2\n This Act is division H of the Consolidated Appropriations Act, 2005, Public Law No. 108-447.\n3\n A system of records refers to a group of records under the control of an agency from which information is retrieved\nby the name of the individual or by some other identifying particular assigned to the individual.\n\n\n\n\n                                                          2\n\x0c    FDIC\xe2\x80\x99S PRIVACY PROGRAM\n\nIn 2005, the FDIC appointed a CPO with overall responsibility for the Corporation\xe2\x80\x99s privacy\nprogram and designated a Privacy Program Manager to support the CPO in developing and\nimplementing corporate privacy requirements. The CPO is in the process of implementing a\nnumber of privacy-related initiatives, including privacy training programs, to ensure FDIC\nemployees and contractors are aware of and follow privacy requirements, policies, and\npractices.\n\nHowever, the FDIC could do more to: (1) notify corporate employees about Privacy Act\nrequirements and responsibilities and the existence of, routine uses for, and safeguards over\npersonal employee information and (2) ensure effective implementation of Privacy Act\nprovisions. In this regard, the FDIC lacks an overarching privacy policy to coordinate the CPO\nand traditional Privacy Act functions, specify key roles and responsibilities, and define key\nPrivacy Act and sensitive information terminology. Further, the FDIC\xe2\x80\x99s Privacy Act directive is\noutdated and does not include roles and responsibilities for system managers who maintain\nrecords covered by a SORN. The FDIC could improve the Unofficial Personnel System (UPS),\na SORN that has not been updated or republished in the Federal Register since 1989. The\nsystem covers a number of FDIC employee records, including records pertaining to parking\npermits, personnel awards, dental insurance, savings plans, retirement benefits, life insurance\ndocuments, and employee locator information. The Corporation could also improve other\nselected SORNs by disclosing that SSNs are maintained in these systems of records. These\nimprovements will help ensure that the FDIC fully complies with the Privacy Act provisions.\n\nChief Privacy Officer Brought Renewed Focus to Corporate Privacy Program\n\nIn March 2005, in response to Section 522, the Chairman appointed the Chief Information\nOfficer (CIO) and Director, Division of Information Technology (DIT), as the CPO for the FDIC.4\nIn the appointment letter, the Chairman designated the CPO \xe2\x80\x9c\xe2\x80\xa6 with responsibility for those\nduties assigned to that position by law and by administrative action, and with overall\nagency-wide responsibility for information privacy issues.\xe2\x80\x9d The Legal Division prepared a\nmemorandum describing the roles and responsibilities of the designated privacy official and\nsubsequently provided its analysis to the CPO, outlining CPO requirements and responsibilities.\nAppendix III presents information from the Legal Division memorandum describing CPO\nresponsibilities, reporting requirements, and other specific tasks.\n\nThe CPO brought a renewed focus to the FDIC\xe2\x80\x99s privacy program and introduced a number of\ninitiatives, including establishing a task force to evaluate FDIC procedures over sensitive\ninformation maintained electronically, designating a Privacy Program Manager to enhance the\nFDIC\xe2\x80\x99s privacy program, and addressing OMB\xe2\x80\x99s FISMA-related reporting guidance regarding\nprivacy.\n\nRisk Mitigation Project Team: In early 2005, the CIO established the Risk Mitigation Project\nTeam (Team) to evaluate areas within the Corporation where new or improved procedures\nmight be needed with respect to safeguarding sensitive information held by the FDIC in an\nelectronic format. For the first phase of the project, the Team members chose to limit their\nreview to electronic information that is stored, transmitted, or transported outside the FDIC. On\n\n4\n The Director, DIT, was also designated as the FDIC\xe2\x80\x99s senior official for privacy for purposes of OMB\xe2\x80\x99s Memorandum\nM-05-08, Designation of Senior Agency Official for Privacy, dated February 11, 2005.\n\n\n\n\n                                                        3\n\x0cMarch 30, 2005, the Team submitted a memorandum to the CIO Council5 that identified three\ngeneral areas in which the Team thought immediate attention was necessary to develop:\n\n\xe2\x80\xa2     an FDIC-wide policy on what is to be done if sensitive personal information is lost or\n      inappropriately disclosed,\n\xe2\x80\xa2     a single policy or a centralization of all FDIC policies on safeguarding sensitive information,\n      and\n\xe2\x80\xa2     a corporate culture that embraces the importance of protecting sensitive information.\n\nThe Team prepared:\n\n\xe2\x80\xa2     a brochure covering protection of sensitive data, protection of mobile data storage devices\n      (such as laptops and flash drives), the importance of rapidly reporting the loss or theft of\n      these items, and a contact number; the brochure was later enhanced to cover protection of\n      sensitive data in hardcopy as well as electronic format;\n\xe2\x80\xa2     a wallet-sized card containing the contact information for reporting the loss or theft of data or\n      mobile storage devices; and\n\xe2\x80\xa2     a Web site providing online reference to protection of data and mobile storage devices and\n      the way to report losses of data or devices.\n\nIn October 2005, the CPO sent a global message to all FDIC employees and contractors in\nregard to protecting sensitive information. The CPO\xe2\x80\x99s message announced: the impending\nrelease of the brochure and the wallet-sized card to employees and contractors; that the Privacy\nWeb site had been posted; and that DIT was issuing luggage tags with FDIC contact information\nto employees and contractors with FDIC laptops in the event that the laptop was lost or stolen.\nFDIC Privacy Program Manager Enhancements: The CPO designated a Privacy Program\nManager in April 2005 to enhance and implement a comprehensive privacy program. The\nobjective of the CPO\xe2\x80\x99s enhanced privacy program is to ensure that the FDIC is taking\nappropriate steps to protect personal information from unauthorized use, access, disclosure, or\nsharing and to protect associated information systems from unauthorized access, modification,\ndisruption, or destruction. Table 1, on the following page, depicts the numerous initiatives of the\nprivacy program and their status as of October 31, 2005.\n\nThe CPO also indicated that his office was performing a gap analysis between the Legal\nDivision\xe2\x80\x99s list of CPO requirements, discussed earlier, and privacy program initiatives in place.\nThe Privacy Program Manager kept us apprised of developments in the privacy program\nthrough periodic status reports on the work products supporting the Program, the staff assigned\nto various initiatives, and the estimated completion dates for the initiatives.\n\n\n\n\n5\n    The FDIC\xe2\x80\x99s CIO Council advises the CIO on all aspects of adoption and use of information technology at the FDIC.\n\n\n\n\n                                                           4\n\x0c Table 1: FDIC Privacy Program Initiatives\nArea      Initiative                   Estimated                              Status as of October 31, 2005\n                                       Completion\nGovernance     Create a senior-level Privacy Advisory    November 2005        Privacy Advisory Council directive was drafted, but a\n               Council to advise the CPO.                                     decision was made to incorporate these responsibilities\n                                                                              into the mission of the CIO Council, whose members\n                                                                              will vote on the change to the charter during a\n                                                                              November 2005 meeting.\nPolicy         Develop an approach for reviewing         November 30, 2005    Circular 1031.1 has been updated and is currently\n               and consolidating existing privacy                             being processed for approval within the Corporation.\n               directives and policies.                                       Circular will be retained.\n                                                                              As part of the overarching privacy policy, prepared a\n                                                                              list of directives, policies, and Web sites that contain\n                                                                              privacy-related requirements. Plan to perform analysis\n                                                                              of and determine how, collectively, the directives,\n                                                                              policies, and Web sites protect sensitive personal data.\nPrivacy        Establish a Web site providing a single    Completed           Privacy Program Web site www.fdic.gov/about/privacy\nWeb site       source for privacy requirements,                               available in early September.\n               policy, education, reference, and\n               documentation.\nPrivacy        1. Privacy Briefing for senior            1. Completed        1. CIO Council training completed on September 6,\nTraining       managers.                                                     2005.\n               2. Standalone online privacy training     2. Completed        2. October global e-mail sent to all employees and\n               for all employees and contractors.                            contractors regarding mandatory privacy training.\n               3. Approach for developing online         3. December 2005    3. Security staff review indicated that the Department of\n               privacy training as part of annual                            Interior (DOI) training module might be a good\n               Security Awareness training for all                           substitute for current FDIC Security module, with minor\n               FDIC employees.                                               strengthening of the Privacy portion.\n               4. Approach for developing in-depth       4. December 2005    4. Pending decision on DOI module, which could also\n               online privacy education.                                     be used for in-depth training.\n               5. Classroom privacy training.            5. Currently not    5. A 96-slide PowerPoint presentation is available but\n                                                         contemplated        needs Corporate University \xe2\x80\x9cbranding\xe2\x80\x9d.\nPrivacy        1. Prepare an e-mail to all employees     1. Completed         1. October global e-mail sent to all employees and\nAwareness      and contractors regarding protection of                        contractors.\n               sensitive information.\n               2. Send a package of material to          2. Completed         2. Distribution of brochure and wallet card to\n               employees and contractors, consisting                          employees and contractors began on\n               of a brochure, wallet-sized card, and a                        October 18, 2005. Luggage tags were issued to laptop\n               luggage tag, addressing the need to                            users.\n               protect sensitive data in electronic or\n               paper format.                                                  3. Current procedures have been updated and sent to\n                                                                              the Privacy Program Working Group for concurrence\n               3. Update Incident Reporting and          3. November 2005     prior to implementation. A meeting was scheduled for\n               Response Procedures.                                           the week of November 14, 2005 to discuss final\n                                                                              changes.\n               4. Prepare articles on the privacy        4. Ongoing           4. Article appeared in the FDICNews September 2005\n               program for the FDICNews.                                      issue. The next article is slated for the December 2005\n                                                                              issue.\nPrivacy        A Privacy Impact Assessment will be       Completed            All Privacy Impact Assessments have been completed\nImpact         prepared for each information system                           and posted on the Privacy Program Web site.\nAssessments    containing personal information.\nReporting      1. FISMA Section D Privacy.               1. Completed          1 and 2. Final transmittal to OMB occurred on\n                                                                               October 7, 2005.\n               2. OMB A-130 Reviews.                     2. Completed\n                                                                               3. In planning phase. Meeting was held with Privacy\n               3. Initiate review of SORNs.              3. December 2005      Act Clearance Officer.\n               4. Memorandum to the Inspector            4. Completed          4. Memorandum was sent to the Acting Inspector\n               General from the CPO.                                           General on September 15, 2005.\n  Source: July 2005 Privacy Act Presentation to the FDIC Operating Committee and Privacy Program Status Reports.\n\n\n\n\n                                                                  5\n\x0cFISMA Section D, Privacy, Questions: The OMB\xe2\x80\x99s June 13, 2005 memorandum (M-05-15)\nentitled, FY 2005 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, directs the senior agency official for privacy to answer a\nseries of questions regarding the agency\xe2\x80\x99s privacy programs. The OMB memorandum also\nencourages agency Inspectors General to provide meaningful information on their respective\nagency\xe2\x80\x99s privacy program and activities. The CPO provided a memorandum to the OIG, as\nrequired, detailing the FDIC\xe2\x80\x99s privacy and data protection policies and procedures, summarizing\nthe Corporation\xe2\x80\x99s use of information in an identifiable form, and verifying the CPO\xe2\x80\x99s intent to\nensure that the Corporation\xe2\x80\x99s privacy program complies with federal statutes and federal and\ncorporate policies and procedures.6\n\nAREAS FOR IMPROVEMENT \xe2\x80\x93 PRIVACY PROGRAM\nThe FDIC has taken or initiated actions designed to strengthen and enhance its privacy\nprogram. However, the FDIC could do more to communicate Privacy Act requirements and\nresponsibilities to its employees and to ensure effective implementation of Privacy Act\nprovisions. In this regard, the FDIC needs to develop policy to coordinate CPO and Privacy Act\nrequirements. The FDIC also needs to update the UPS SORN and revise other SORNs.\n\nOverarching Privacy Policy Needed to Coordinate CPO and Traditional Privacy Act\nResponsibilities\n\nSection 522, enacted on December 8, 2004, requires, within 12 months of the enactment, that\neach agency establish and implement comprehensive privacy and data protection procedures\ngoverning the agency\xe2\x80\x99s collection, use, sharing, disclosure, transfer, storage, and security of\ninformation in an identifiable form relating to agency employees and the public. Such\nprocedures should be consistent with legal and regulatory guidance, including OMB regulations,\nthe Privacy Act, and the E-Government Act.\n\nExisting Privacy Act Directive: FDIC Circular 1031.1, The Privacy Act of 1974: Employee\nRights and Responsibilities, dated March 29, 1989, offers guidance to employees about the\nrights provided and the responsibilities imposed by the Privacy Act. Circular 1031.1 was last\nrevised in 1989. The Corporation is updating Circular 1031.1 and recently transmitted a draft\ndirective to divisions and offices for review and comment. In its present and revised form, the\ncircular includes general responsibilities for the Corporation and employees, definitions of the\nterms \xe2\x80\x9crecord\xe2\x80\x9d and \xe2\x80\x9csystem of records,\xe2\x80\x9d and procedures for access to records.\n\nHowever, neither this circular nor other FDIC directives provide a comprehensive description of\nthe FDIC\xe2\x80\x99s privacy and data protection procedures. Elements that should be addressed include:\n\n\xe2\x80\xa2   the role, responsibilities, and coordination activities of the CPO, Privacy Program Manager,\n    the Privacy Act Clearance Officer, and FOIA-PA Group;\n\n\n6\n  The OIG issued Report No. 05-033, Response to Privacy Program Information Request in OMB\xe2\x80\x99s Fiscal Year 2005\nReporting Instructions for FISMA and Agency Privacy Management, dated September 2005. The report concluded\nthat although the FDIC had taken a number of actions to protect information in an identifiable form, the FDIC needed\nto complete ongoing initiatives related to: (1) identifying all FDIC-maintained information in an identifiable form and\ntaking appropriate actions to ensure this information is properly protected; (2) reviewing privacy policies and\nprocedures to ensure they are current, comprehensive, and complete; and (3) implementing a corporate-wide training\nand education program, including job-specific training where appropriate.\n\n\n\n\n                                                          6\n\x0c\xe2\x80\xa2   definitions for Privacy Act information and for other sensitive information terminology, such\n    as \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d and \xe2\x80\x9cinformation in an identifiable form\xe2\x80\x9d;\n\xe2\x80\xa2   references to key privacy-related federal laws, in addition to the Privacy Act, such as the\n    E-Government Act of 2002, Paperwork Reduction Act, FISMA, and Section 522;\n\xe2\x80\xa2   OMB privacy-related requirements, such as OMB Circular No. A-130, Appendix I;\n\xe2\x80\xa2   roles and responsibilities of system managers; and\n\xe2\x80\xa2   procedures for creating, altering, or terminating a system of records.\n\nPrivacy Program Initiative on Policy: As of October 31, 2005, the FDIC\xe2\x80\x99s Privacy Program\nWorking Group had completed its research of existing corporate directives and policies that\napply to privacy and started work on analyzing the directives, policies, and Web sites that\ncontain privacy-related requirements to determine how the various sources work together to\nprotect the FDIC\xe2\x80\x99s sensitive personal data. By November 30, 2005, the Privacy Program\nWorking Group planned to develop an approach for developing an overall policy on privacy\nfollowing the review of legal requirements and existing privacy-related policies and procedures.\n\nThe FDIC\xe2\x80\x99s Privacy Program Working Group should accelerate its activities in this area,\nespecially in light of the December 8, 2005 date by which Section 522 stipulates that agencies\nare expected to implement comprehensive privacy and data protection procedures and\nstrategies. The Privacy Program Working Group should consider the essential elements\nidentified above in developing the overarching privacy directive.\n\nDefinitions for Privacy Act and Other Forms of Sensitive Information: The FDIC could\nbenefit from using more clearly defined terms for Privacy Act and other sensitive information;\ndefining the relevant legal framework to be applied, depending on the type of information; and\nestablishing corresponding processes and procedures for safeguarding various types of\ninformation. We researched FDIC directives, circulars, and guidance as well as privacy-related\nlaws and regulations to identify a standard definition for personal employee information and\nsensitive information. We identified numerous definitions in the documents we reviewed, some\nof which were similar and others that differed from each other. Some notable examples include:\n\n\xe2\x80\xa2   FDIC Circular 1031.1: Cites the Privacy Act definition of a \xe2\x80\x9crecord\xe2\x80\x9d as any item, collection,\n    or grouping of information about an individual that is maintained by an agency, including, but\n    not limited to, his or her education, financial transactions, medical history, and criminal or\n    employment history that contains his or her name, or the identifying number (such as an\n    SSN), symbol, or other identifying particular assigned to the individual, such as a fingerprint\n    or voice print or a photograph.\n\xe2\x80\xa2   FDIC Web Privacy Guide: Defines personal information (or \xe2\x80\x9cpersonally identifiable\n    information\xe2\x80\x9d) as any data that identifies an individual, such as, name, e-mail address, home\n    address, other physical address, telephone number, SSN, birth date, place of birth, birth\n    certificate number, and any other data that identifies an individual.\n\xe2\x80\xa2   OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002:\n    Uses the term \xe2\x80\x9cInformation in Identifiable Form\xe2\x80\x9d and defines the term as information in an\n    information technology (IT) system or online collection (a) that directly identifies an individual\n    (e.g., name, address, SSN, or other identifying number or code, telephone number, e-mail\n    address, etc.) or (b) by which an agency intends to identify specific individuals in conjunction\n    with other data elements, i.e., indirect identification.\n\nNone of the guidance we reviewed contained a standard definition of personal employee\ninformation. A standard definition could help ensure that all FDIC divisions and offices\n\n\n\n\n                                                  7\n\x0cconsistently safeguard similar types of personal employee information. Appendix IV highlights\nsome of the definitions contained in the various documents.\n\nThe FDIC Needs to Update and Republish the UPS SORN and Revise Other SORNs\n\nThe Privacy Act describes a system of records as a group of any records under the control of an\nagency from which information is retrieved by the name of an individual or by some identifying\nnumber, symbol, or other particular identifier assigned to the individual. The Privacy Act\nrequires that when agencies establish or make changes to a system of records, they must notify\nthe public by a notice published in the Federal Register, which includes, among other things, the\ntype of data collected, the types of individuals about whom information is collected, the intended\nroutine uses7 of the data, and procedures that individuals can use to review the information.\nSuch SORNs provide FDIC employees and the public with information about the type of\npersonal information the FDIC maintains on individuals, where that information is maintained,\nand the technical and administrative controls for safeguarding the information. Moreover, the\nSORN process helps to identify for the FDIC the type of information that needs to be protected.\n\nOMB\xe2\x80\x99s guidance to agencies on implementing the Privacy Act states that the public notice\nprovision is a key element of one of the Privacy Act\xe2\x80\x99s basic objectives, namely, to foster agency\naccountability through a system of public scrutiny. OMB Circular A-130, Appendix I, requires\nthat agencies conduct biennial reviews of each SORN to ensure that the notice accurately\ndescribes the system of records and to publish changes in the Federal Register.\n\nThe FDIC currently maintains 24 systems of records whose notices were published at various\ntimes in the Federal Register. We determined that 12 of the 24 systems of records contained\npersonal employee information. Detailed information about the location, storage medium, and\nsafeguards listed in each of the 12 system of records is included in Appendix V. The FDIC\namended and republished all of its SORNs in 2001, except for the SORN for the UPS. The\nFDIC has neither updated nor republished the SORN for the UPS since August 31, 1989. The\nUPS notice makes outdated references to:\n\n\xe2\x80\xa2   FDIC divisions and offices that are no longer part of the organizational structure (e.g., the\n    Division of Liquidation, the Division of Accounting and Corporate Services, and the FDIC\n    Office of Personnel Management).\n\xe2\x80\xa2   Discontinued corporate programs, such as the Upward Mobility Program.\n\xe2\x80\xa2   Incorrect system managers (e.g., the Division of Accounting and Corporate Services is listed\n    as the system manager for Parking Permit Records and Employee Locator Records. DOA\n    is now the system manager for those records).\n\nIn addition, because the UPS SORN has not been updated since 1989, the SORN does not\naddress electronic storage media except for computer discs. Further, the UPS SORN states\nthat computer discs are accessed only by authorized personnel, but the SORN does not\nmention system safeguards, passwords, access controls, or encryption in the storage section of\nthe SORN, which is intended to identify the media in which records are stored. Furthermore,\nthe SORN does not indicate the purpose for the system of records, which subsequent to 1989,\nbecame a requirement by the Office of the Federal Register.\n\n\n\n7\n According to the Privacy Act, the term \xe2\x80\x9croutine use\xe2\x80\x9d means, with respect to the disclosure of a record, the use of\nsuch record for a purpose that is compatible with the purpose for which it was collected.\n\n\n\n\n                                                           8\n\x0c  Over time, changes in agency operations or functions may result in increased differences in the\n  records that are contained within a common system of records. Groups of records that once\n  were appropriately combined into a common system may become sufficiently different so that\n  they should be divided into separate systems. In this regard, the UPS SORN identifies seven\n  categories of records broadly defined as personnel-related records that are maintained in\n  addition to those kept in the Office of Personnel Management-required Official Personnel\n  Folders (OPF). Our observations regarding the UPS SORN are in Table 2. Appendix VI lists\n  and describes the seven categories of records in the UPS SORN.\n\n  Table 2: OIG Observations Regarding the UPS Notice\n            Condition                Criteria                                                   Effect\nUpdates to    FDIC SORN 30-64-0015, UPS,          The Privacy Act requires that agencies        Increases the risk\nthe UPS       has not been updated since 1989     maintain all records that are used by the     the FDIC will make\nSORN          and is listed in the FDIC Rules     agency in making any determination about      an adverse\n              and Regulations (30-64-0001, et     any individual with such accuracy,            determination about\n              seq.) with a note stating \xe2\x80\x9cto be    relevance, timeliness, and completeness       an individual on the\n              revised at a later date.\xe2\x80\x9d           as is reasonably necessary to ensure          basis of incorrect\n                                                  fairness to the individual.                   information.\n\n                                                  OMB Circular No. A-130, Appendix I\n                                                  requires agencies to review SORNs\n                                                  biennially to ensure they accurately\n                                                  describe the system of records.\n\nPublication   The FDIC has not republished        The Privacy Act requires agencies to          Without a\nof the UPS    the UPS SORN in the Federal         publish in the Federal Register a notice of   republished, updated\nSORN in       Register or on FDIC\xe2\x80\x99s public        the existence and character of the system     UPS SORN, the\nthe Federal   Web site. The FDIC revised all      of records, when the system is established    FDIC cannot ensure\n              of its SORNs in 2001. Since that    or revised.                                   that its employees\nRegister      time, the UPS SORN, published                                                     can exercise their\n              in the Federal Register, has        In response to a 1998 Presidential            rights to access,\n              consisted of a qualifier that the   Memorandum regarding compliance with          review, and amend\n              SORN will be revised at a later     the Privacy Act, OMB Circular M-99-05,        the records in the\n              date.                               Attachment B, required agencies to review     SORN, as\n                                                  their systems of records to ensure that       guaranteed by the\n                                                  Federal Register notices were up-to-date      Privacy Act.\n                                                  and to publish a notice for any system of\n                                                  records previously overlooked.\n\nCategories    The UPS SORN includes a             OMB Circular M-99-05, Attachment B, also      Inappropriately\nof Records    number of sources of employee       required agencies to ensure their systems     combined groups of\nWithin the    information that could be           of records were not inappropriately           records into one\nUPS SORN      presented in separate SORNs.        combined. OMB noted that groups of            system of records\n              The SORN references the             records that have different purposes,         limits the FDIC\xe2\x80\x99s\n              following seven categories of       routine uses, or security requirements, or    ability to ensure that\n              records:                            that are regularly accessed by different      routine uses\n                                                  members of the agency staff, should be        appropriate for\n              1.   Personal Information on        maintained and managed as separate            certain groups of\n                   individuals.                   systems of records to avoid possible lapses   records do not also\n              2.   Parking Permit Records.        in security.                                  apply to other groups\n              3.   FDIC Personnel Awards.                                                       of records simply\n              4.   Dental Insurance Records.                                                    because they have\n              5.   Employee Locator Records.                                                    been placed together\n              6.   Upward Mobility Files.                                                       in a common system\n              7.   FDIC Savings Plan Records.                                                   of records.\n  Source: OIG analysis.\n\n\n\n\n                                                          9\n\x0cContractor Information: We observed that, although not specifically required to do so, the\nUPS SORN does not indicate that Privacy Act information is located at an FDIC contractor\xe2\x80\x99s\nfacility or that personal employee information data is being maintained by FDIC contractors. For\nexample, the UPS SORN discusses the following information but does not refer to contractors\nor vendors doing work for the FDIC in these specific areas:\n\n\xe2\x80\xa2   FDIC Savings Plan Information: The FDIC has agreements with a trustee for investment\n    and recordkeeping of the FDIC Savings Plan funds and provides the trustee Savings Plan\n    data, records, computer programs, software, reports, and other documents.\n\xe2\x80\xa2   Dental Benefits Information: The FDIC has a contract with a vendor to provide\n    administrative services for the FDIC Dental Benefits Program, including claim payments.\n\xe2\x80\xa2   Life Insurance Benefit Program Information: The FDIC has a contract with a vendor to\n    provide life insurance for employees, dependents, and retirees.\n\nThe UPS SORN does identify that disclosures of information may be made, where relevant, to\n(1) the dental insurance carrier in support of a claim for dental insurance benefits and (2) the\nSavings Plan vendor so that it can carry out its functions as investor of the FDIC Savings Plan\nfunds. However, the UPS SORN states that the records are located in the FDIC Office of\nPersonnel Management, division or office levels in the FDIC Washington office, regional offices,\nand field offices. Records containing personal employee information are also located and/or\nmaintained at contractor locations. Legal Division officials agreed to look into the matter.\n\nWe also discussed this issue with an OMB privacy official. The official stated that the focus\nshould be on where the employee can get access to the records at issue, where they can\nrequest amendment to those records, and who is performing the accounting requirement under\nthe Privacy Act relative to disclosures to third parties. If the location for such access,\namendment, and accounting is a contractor location, then the location-of-records section of the\nSORN should indicate where the records are located. Moreover, according to the official, if the\ncontractor is performing Privacy Act-related responsibilities, the agency\xe2\x80\x99s contract with the\ncontractor should specify those responsibilities. The OMB official noted that even if access,\namendment, and accounting are handled through the agency, nothing precludes the agency\nfrom indicating in the SORN that the records are maintained by a contractor.\n\nObservations on the FDIC\xe2\x80\x99s Other SORNs: We observed that SORNs did not always fully\ndescribe certain required information, such as all locations where the records are maintained or\ncertain other categories of records maintained in the system. In addition, although not required\nto do so, several SORNs did not disclose that SSN information was contained in the system of\nrecords. For example:\n\n\xe2\x80\xa2   Employee Training Information Records (30-64-0007): The categories of records in the\n    system do not identify the SSN as information contained in the records, but the SORN\n    indicates that electronic media are accessible by SSN for retrieval purposes.\n\xe2\x80\xa2   Financial Information Management Records (30-64-0012): The categories of records in the\n    system do not identify the SSN as information contained in the records, but the SORN\n    indicates that electronic media are retrievable by SSN or specialized identifying number. In\n    addition, the SORN does not reflect Public Transit Subsidy Program8 payments in the\n    categories of records in the system, despite the fact that the application for this program\n\n8\n On January 13, 2000, the FDIC approved for corporate employees a Transit Subsidy Program designed to\nencourage employees to use mass public transportation, thereby reducing the use of private automobiles for daily\ncommuting. DOA manages this program.\n\n\n\n\n                                                        10\n\x0c    specifically identifies the Financial Information Management Records SORN in its Privacy\n    Notice.\n\xe2\x80\xa2   Employee Medical and Health Assessment Records (30-64-0017): The SORN does not\n    indicate that the records contain SSNs. In addition, the SORN does not disclose that\n    records are located at the FDIC\xe2\x80\x99s 801 Building location. The routine uses stated in the\n    SORN do not refer to disclosures to the Department of Health and Human Services with\n    respect to the National Directory of New Hires.9\n\xe2\x80\xa2   Fitness Center Records (30-64-0021): The SORN does not indicate that the records contain\n    SSNs. In addition, the SORN does not disclose that records are located at the FDIC\xe2\x80\x99s 801\n    Building location.\n\nRecommendations\n\nWe recommend that the CPO and General Counsel:\n\n1. Develop and issue an overarching privacy policy to include:\n\n    \xe2\x80\xa2   coordination and reporting responsibilities and expectations among the CPO, the Privacy\n        Act Clearance Officer and FOIA-PA Group, and SORN system managers;\n    \xe2\x80\xa2   references to other relevant privacy and information security directives;\n    \xe2\x80\xa2   key roles and responsibilities, including SORN system manager responsibilities; and\n    \xe2\x80\xa2   definitions for information subject to the Privacy Act and for other sensitive information\n        terminology, such as \xe2\x80\x9cpersonally identifiable information,\xe2\x80\x9d and \xe2\x80\x9cinformation in an\n        identifiable form.\xe2\x80\x9d\n\n2. Revise and republish the SORN for the Unofficial Personnel System to include updated,\n   accurate:\n\n    \xe2\x80\xa2   information about records maintained;\n    \xe2\x80\xa2   references to FDIC offices, system managers, and safeguards over information; and\n    \xe2\x80\xa2   identification in the System Location section of information being maintained by\n        contractors or vendors.\n\n3. Determine whether records detailed in the SORN for the Unofficial Personnel System should\n   be republished as separate, individual systems of records.\n\n\n\n\n9\n  According to the Personal Responsibility and Work Opportunity Reconciliation Act of 1996, as amended, federal\nagencies are to provide certain information about newly hired employees to the U.S. Department of Health and\nHuman Services\xe2\x80\x99 National Directory for New Hires. In 1997, OMB issued suggested \xe2\x80\x9croutine uses\xe2\x80\x9d statements\nregarding disclosure to the Directory.\n\n\n\n\n                                                        11\n\x0c FDIC PRACTICES AND INITIATIVES TO PHYSICALLY\n SAFEGUARD PERSONAL INFORMATION\n\nDOA and DOF implemented a number of controls for safeguarding personal employee\ninformation, including administrative and physical safeguards such as: limiting access to human\nresources operations and files; securing office space; eliminating SSNs from most forms and\nstandard reports; and installing personal shredders and locked, high-volume shredding bins.\nFurther, DOA and DOF had several additional initiatives underway to safeguard information.\n\nHowever, we found that Human Resource Branch (HRB) contracts did not always contain\nPrivacy Act references, confidentiality clauses, or signed confidentiality agreements. We also\nidentified opportunities to increase physical safeguards over personal employee information\nsuch as strengthening controls in regional HRB offices, discontinuing the maintenance of\nunofficial personnel files, and developing limitations on information that student interns may\naccess. We also noted that the FDIC included employees\xe2\x80\x99 SSNs in information on the FDIC\xe2\x80\x99s\nmentoring program provided to a contractor, rather than using an alternative identifier. These\nimprovements will help to ensure that the FDIC implements sufficient physical controls over\npersonal employee information.\n\nSources of Personal Employee Information: We focused our review on DOA and DOF\nbecause the two divisions have responsibility for maintaining human resources, payroll, and\nsupplemental payment information on FDIC employees. Table 3 presents the sections and\nbranches within DOA and DOF that work with or maintain personal employee information.\n\nTable 3: DOA and DOF Sources and Uses of Personal Employee Information\n  Section or Branch                      Sources and Uses of Information\n  DOA\n  Human Resources Service Center         Official Personnel Folders.\n                                         Applications for FDIC employment.\n  Benefits Center                        Benefits information (e.g., health, vision, and dental) for current FDIC\n                                         employees and retirees.\n                                         Benefit files for deceased employees.\n  Strategic HR Services and              Disciplinary and adverse action case files.\n  Labor/Employee Relations\n  Human Resources Information            Employee time and attendance and other payroll records; employee\n  Management and Payroll                 personnel action records; and staffing tables.\n  Corporate Recruitment and Career       Employee counseling information; employee r\xc3\xa9sum\xc3\xa9s;\n  Management Services                    mentoring program information; and training rosters.\n  Facilities Operations Section          Health Units--Employee medical folders.\n                                         Fitness Centers--Employee membership and termination of\n                                         membership; related payroll deduction forms; and medical history,\n                                         clearance, and authorization forms.\n  Security Management Section            Personnel suitability (background) investigations on FDIC employees.\n  Corporate Support Section              Long-term, off-site records storage and shredding services.\n  Management Services Branch             Unofficial Personnel Files for DOA and Corporate University (CU).\n  DOF\n  Accounting Operations Section         Account reconciliations for: employee receivables; payroll-National\n                                        Finance Center (NFC) accounts; employee home purchases and\n                                        selling; employee-deferred bonuses; and employee buyouts.\n  Receipts and Disbursements            Supplemental payments\xe2\x80\x94life cycle, petty cash.\n  Operations Section                    Travel voucher reviews, including Frequent Travel Lodging Stipend and\n                                        Travel Card Program.\n                                        Relocation payments and buyout payments.\nSource: Interviews with DOA and DOF officials.\n\n\n\n\n                                                       12\n\x0cDOA and DOF business practices and initiatives for safeguarding personal employee\ninformation are discussed in the next section. For each process, we identified: the\nadministrative, physical, and technical controls over personal employee information; the number\nand position of staff with access to the information; systems used to maintain and process the\ninformation; and whether contractors had access to the information. We also observed the\nphysical location of hardcopy information stored in FDIC office space and verified that physical\nsecurity controls were in place.\n\nThe FDIC Has Established Practices and Initiatives for Safeguarding Personal Employee\nInformation\n\nThe Privacy Act requires agencies to "establish appropriate administrative, technical, and\nphysical safeguards to insure the security and confidentiality of records and to protect against\nany anticipated threats or hazards to their security or integrity which could result in substantial\nharm, embarrassment, inconvenience, or unfairness to any individual on whom the information\nis maintained.\xe2\x80\x9d In addition, with respect to privacy and security, the Paperwork Reduction Act of\n1995 requires agencies to "implement and enforce applicable policies, procedures, standards,\nand guidelines on privacy, confidentiality, security, disclosure and sharing of information\ncollected or maintained by or for the agency" and "identify and afford security protections\ncommensurate with the risk and magnitude of the harm resulting from the loss, misuse, or\nunauthorized access to or modification of information collected or maintained by or on behalf of\nan agency.\xe2\x80\x9d Both the Privacy Act and the Paperwork Reduction Act are applicable to the FDIC.\n\nThe FDIC has established or initiated numerous practices for safeguarding personal employee\ninformation in hardcopy form. DOA has taken the following actions to safeguard personal\nemployee information:\n\n\xe2\x80\xa2   Human Resources (HR) personnel and security management offices that handle or process\n    personal employee information are housed in limited access, secured office space.\n    Cipher-lock doors have been installed to control access to work space.\n\n\xe2\x80\xa2   Official files that contain SSNs, such as OPFs, Labor/Employee Relations case files, and HR\n    benefits files, are kept in locked file cabinets and/or rooms with limited and monitored\n    access. Individuals conducting OPF file reviews, other than an HR specialist and Legal\n    Division representative, must present identification and receive continuous oversight during\n    the review.\n\n\xe2\x80\xa2   As of June 2004, DOA\xe2\x80\x99s Records Management Unit converted full SSNs to truncated SSNs\n    on most FDIC forms.\n\n\xe2\x80\xa2   HRB has either discontinued producing most of its standard reports containing SSNs or\n    restructured its reports to omit SSNs.\n\n\xe2\x80\xa2   HRB headquarters ordered personal shredders for each of its employees. Records\n    Management installed secured shredding bins throughout FDIC Headquarters offices. Only\n    the vendor and a member of Records Management have keys to the padlocked shredding\n    bins.\n\n\n\n\n                                                13\n\x0cDOF also has taken specific steps to safeguard employee sensitive information:\n\n\xe2\x80\xa2   DOF staff views employee SSNs only during the year-end Internal Revenue Service (IRS)\n    Form W-210 reconciliation process. The W-2 forms are printed on a special DIT computer,\n    DOA staff place the forms in envelopes, and the mailroom sends the forms to FDIC\n    employees. DOF stores W-2 forms for 3 years on-site in locked file cabinets inside a\n    cipher-locked file room, after which the W-2 forms are shipped to Iron Mountain (an FDIC\n    off-site data storage vendor).\n\n\xe2\x80\xa2   Similar to DOA, in September 2004, DOF\xe2\x80\x99s Travel Audit Unit reissued its travel policies,\n    established the use of a truncated SSN in lieu of the full SSN, and requested deletion of\n    SSNs from standard travel forms. A written justification must be submitted to DOF\n    management for review in order to use a full SSN on forms.\n\n\xe2\x80\xa2   Travel audit, relocation, and credit card files containing personal employee information are\n    stored in locked file cabinets or cipher-locked file rooms with limited access.\n\n\xe2\x80\xa2   DOF is reviewing its relocation program processes and systems that contain personal\n    employee information and is changing its hardcopy forms to only require truncated SSNs.\n\nFurther, the FDIC has taken steps to raise FDIC employee awareness about safeguarding\nsensitive data, including personal employee information:\n\n\xe2\x80\xa2   In November 2004, the Associate Director, HRB, sent a reminder to HR Washington, D.C.,\n    staff regarding the guidance for determining what is considered \xe2\x80\x9csensitive information,\xe2\x80\x9d\n    including FDIC\xe2\x80\x99s Circular 1031.1 on the Privacy Act and United States Office of Personnel\n    Management\xe2\x80\x99s (OPM) Operating Manual, The Guide to Personnel Recordkeeping.\n\n\xe2\x80\xa2   In August 2005, DOF reissued a memorandum on Managing DOF\'s Confidential Records,\n    previously issued in June 1997 and August 2000. The memorandum reminded staff of the\n    importance of safeguarding confidential and sensitive materials and protecting confidential\n    information from unauthorized use or disclosure.\n\n\xe2\x80\xa2   DIT\xe2\x80\x99s Enterprise Architecture Board (EAB) initiated a corporate-wide survey to collect\n    information about sources (electronic as well as hardcopy) of data within the Corporation\n    that contain sensitive information and were outside of major information systems. Sources\n    of data included in the survey were shared drives, personal drives, Access databases, and\n    Excel spreadsheets.\n\n\xe2\x80\xa2   The FDIC\xe2\x80\x99s CPO is developing an awareness campaign, including the Privacy Program Web\n    site;11 privacy questions in the annual computer security awareness training; and separate\n    privacy awareness training mandatory for all employees and contractors. The CPO issued a\n    brochure in October 2005 to all employees regarding the safeguarding of sensitive\n    information in electronic and hardcopy form.\n\n\n\n\n10\n   IRS form W-2 is an individual\xe2\x80\x99s wage and tax statement, which includes information such as name, address, and\nSSN.\n11\n   Privacy Program Web site established as of September 9, 2005.\n\n\n\n\n                                                       14\n\x0cAREAS FOR IMPROVEMENT \xe2\x80\x93 PHYSICAL SAFEGUARDS\nContracts Did Not Always Contain Privacy Act References, Confidentiality Clauses, or\nSigned Confidentiality Agreements\n\nThe Privacy Act provides that when an agency contracts for the operation by or on behalf of the\nagency of a system of records to accomplish an agency function, the agency is responsible for\ncausing the requirements of the Act to be applied to such a system. Subsection (m) of the\nPrivacy Act further specifies that any such contractor and its employees are considered to be\nemployees of an agency under the Privacy Act for purposes of the Act\xe2\x80\x99s criminal penalties.\nOMB Circular A-130, Appendix I, describes agency responsibilities for implementing Privacy Act\nreporting and publication requirements. The Circular requires agencies, every 2 years, to\nconduct a random sample of agency contracts that provide for the maintenance of a system of\nrecords on behalf of the agency to ensure that the wording of each contract makes the\nprovisions of the Privacy Act binding on the contractor and his or her employees.\n\nWe identified a total of 15 DOA and DOF contracts and agreements for employee benefits, file\nroom maintenance, and other services involving the maintenance of personal employee\ninformation. We reviewed the contract documents and contract files for references to the\nPrivacy Act, confidentiality clauses, and evidence of signed contractor confidentiality\nagreements, as presented in Table 4.\n\nTable 4: DOA and DOF Contracts Involving Personal Employee Information\n                                                                                  Signed\n                                             Privacy Act     Confidentiality\n       Contractor or Vendor                                                    Confidentiality\n                                             Reference          Clause\n                                                                                Agreement\nBenefits Allocation Service (BAS)\xe2\x80\x94         Yes                No                 No\nFlexible Cafeteria Benefits Program\nVision Service Plan                        No                 No                 No\nConnecticut General Life Insurance         No                 No                 No\nCompany (CIGNA)\nAon Consulting                             No                 No                 No\nMetLife                                    No                 No                 No\nLabat Anderson                             Yes                No                 No\nJHM Research & Development, Inc.           Yes                No                 No\nContract Consultants                       No                 No                 No\nIkon                                       No                 No                 Yes\nCendant                                    No                 Yes                No\nScheduled Airlines Traffic Offices,        Yes                No                 No\nInc.\nImpact Training Systems                    No                 No                 No\nCareer Development Leadership              No                 No                 No\nAlliance\nSource: OIG analysis of contracts and contract files.\n\nAs shown, we found that the FDIC did not consistently require that DOA and DOF contracts\ninvolving personal employee information include references to the Privacy Act or appropriate\nconfidentially clauses, or that contractors sign confidentiality agreements. In addition, we\nidentified two FDIC agreements with vendors that provide financial and payroll services, namely,\nT. Rowe Price and NFC. The T. Rowe Price trust agreement included a confidentiality clause,\nbut not a Privacy Act reference, while the NFC interagency agreement included a Privacy Act\nreference, but not a confidentiality clause.\n\n\n\n\n                                                        15\n\x0cPrivacy Act References: The FDIC Acquisition Policy Manual (APM) states that a contractor\nwho designs, develops, or operates a system of records regarding personal information, in order\nto accomplish an FDIC function, must comply with the Privacy Act, and the Contracting Officer\nwill ensure that the Privacy Act is included in all contracts, as appropriate. As shown in\nTable 4, the FDIC\xe2\x80\x99s contract with the BAS to administer the Flexible Cafeteria Benefits Program\ncontained a one-page discussion requiring the contractor to comply with the Privacy Act and\nexplaining civil and criminal penalties that could result from Privacy Act violations. However, we\ndid not find Privacy Act references in other employee benefits contracts. A Legal Division\nrepresentative indicated that the benefits contracts should have included references to the\nPrivacy Act.\n\nUnder the Privacy Act, agencies are to require that systems of records operated on the\nagency\xe2\x80\x99s behalf under contracts be operated in conformance with the Act. Failure to do so may\nresult in civil liability to individuals injured as a consequence. Moreover, a Legal Division\nrepresentative noted that the Privacy Act is an operational law and that contractors are bound\nby the Privacy Act for intentional violations of the Act, regardless of whether the Act is\nspecifically referenced in a contract. However, the Privacy Act does have limitations, and a\ncontractor would not necessarily be bound by the Privacy Act in the event of negligent\nviolations. The Legal Division representative concluded that it was important for FDIC contracts\nto reference the Privacy Act in order to hold contractors accountable in the event of violations\nresulting from carelessness or negligence.\n\nThe Legal Division representative indicated that Legal representatives would work with the\nAcquisition Services Branch (ASB) to develop a Privacy Act contract clause, similar to the\nclause in the BAS contract and require this clause to be standard language in all FDIC\ncontracts, whether or not those contracts involve Privacy Act information. Further, the\nrepresentative indicated that the Legal Division will work with ASB to issue modifications to\ncontracts with the other contractors or vendors listed in Table 4 to include Privacy Act\nreferences.\n\nConfidentiality Clauses and Confidentiality Agreements: The FDIC standard contract, used\nfor most procurement actions, contains the following clause that requires a contractor to\nmaintain, on a confidential and non-disclosure basis, any information that it acquires from the\nFDIC.\n\n       Contractor must ensure the confidentiality of all information, data, and systems provided\n       by FDIC or used or obtained by Contractor personnel under this contract and prevent its\n       inappropriate or unauthorized use or disclosure. Contractor and all employees working\n       on an FDIC contract must sign the Contractor Confidentiality Agreement (attached) no\n       later than five (5) business days after starting performance and prior to receiving such\n       information, or when receiving their badges, and return the signed Agreements to the\n       Contracting Officer. This includes Contractor personnel who are required to work on-site\n       at an FDIC facility or have access to FDIC sensitive information or data, systems or\n       network. Failure to provide the signed Agreements may result in the removal of the\n       employee from performing under the contract.\n\nFurther, the FDIC APM states that a contractor shall be required to sign a confidentiality\nagreement, prior to being provided the sensitive information, where a contract requires the\nrendering of goods or services that are of such a nature that the contractor will receive or might\nhave access to information of a confidential nature, or where the contractor is required to work\non-site at an FDIC facility, or has access to information of a sensitive nature.\n\n\n\n                                                16\n\x0cAs shown in Table 4, most of the contracts that we reviewed did not include the confidentiality\nclause. Further, we were unable to find signed contractor confidentiality agreements for most of\nthe contracts that we reviewed. ASB officials could not definitively explain why the\nconfidentiality clauses were not included in the signed contracts or why confidentiality\nagreements were not executed for these contracts but surmised that ASB staff mistakenly\nunderstood that the clause and confidentiality agreements were required only for DIT-related\ninformation technology contracts.\n\nIn Evaluation Report No. 00-006, FDIC\xe2\x80\x99s Information Handling Practices for Sensitive Employee\nData, dated October 11, 2000, we reported that the FDIC did not have a confidentiality\nagreement in place for CIGNA, one of the contractors listed in Table 4. Because the FDIC\nindicated that it would work with CIGNA to establish a confidentiality agreement, we did not\nmake a formal recommendation in the 2000 evaluation report. However, the current CIGNA\ncontract still does not have a signed confidentiality agreement.\n\nAccording to a Legal Division representative, confidentiality agreements provide an additional\nlevel of protection for the FDIC in the event of Privacy Act violations or inappropriate release of\nconfidential information. However, the representative indicated that the FDIC would not be\nvulnerable in the event that confidentiality agreements were not signed. Nevertheless, the\nLegal Division representative indicated that confidentiality agreements are important and that\nconfidentiality clauses and confidentiality agreements should be included in contracts involving\naccess to personal employee information.\n\nWith respect to whether confidentiality agreements should be required for each contractor\nemployee, a Legal Division representative stated that, ideally, the FDIC should have an officer\nof the contractor sign a single confidentiality agreement on behalf of the contractor and then\ncertify that individual contractor employees have been apprised of Privacy Act requirements and\nthe importance of maintaining the confidentiality of FDIC data.\n\nLegal Review of Contract Before Contract Award: We concluded that the HRB contracts\nthat we reviewed were not consistently subject to review by the Legal Division before contract\naward. Legal Division representatives indicated that their division is usually involved in\nreviewing the contract solicitation package.12 However, the Legal Division is not always involved\nin reviewing the final version of the contract before the contract is signed, and ASB is not\nconsistently providing the division with executed copies of contracts.\n\nThe FDIC APM identifies the Contracting Law Unit within the FDIC\xe2\x80\x99s Legal Division as a\nmember of the team supporting the FDIC\xe2\x80\x99s contracting process. The unit supports the\ndevelopment of contracting policy and procedures and provides advice and legal sufficiency\nreviews. The APM stipulates procurement responsibilities for the Legal Division, including\nrequirements to (1) review solicitation packages for contracts of $100,000 or more; (2) review\ncomplex contracting requirements, as requested by the Contracting Officer (CO); (3) provide\nadvice as required on issues involving contract scope; and (4) provide other assistance as\nrequested by the CO. The APM does not specifically require that the Legal Division review\ncontract documents unless requested by the CO. In a prior evaluation, we reported the need to\ninvolve the Legal Division in procurement planning and in the review of key contracting\n\n\n\n12\n The solicitation package includes the request for proposal, a draft copy of the proposed contract, and the proposed\nSOW.\n\n\n\n\n                                                        17\n\x0cdocuments such as the contract and SOW prior to contract execution,13 and we still consider\nLegal Division involvement to be a valuable control.\n\nIn January 2005, ASB issued an interim policy memorandum establishing a process for\ncoordinating legal reviews of contractual actions and supporting documents, which specified\nthat the CO and Contract Specialist are responsible for obtaining the appropriate level of legal\nreview and approval for solicitation and contracting actions. The contracts discussed in this\nreport predated ASB\xe2\x80\x99s interim policy. Accordingly, we did not evaluate the effectiveness of the\ninterim policy in ensuring adequate Legal Division review of key contractual documents.\n\nSafeguards Over OPFs Were Less Stringent in Regional Offices, and DOA Continues to\nMaintain Unofficial Personnel Files\n\nOPM issues government-wide guidance on documenting individuals\xe2\x80\x99 federal employment\nthrough its Guide to Personnel Recordkeeping, which, among other things, requires agencies\nto:\n\n      \xe2\x80\xa2       implement management controls to ensure that personnel records are protected against\n              loss or alteration;\n      \xe2\x80\xa2       ensure that personnel records subject to the Privacy Act are secured against\n              unauthorized access (for example, paper or microfiche/microfilmed personnel records\n              subject to the Privacy Act should be stored in locked file cabinets or in secured rooms);\n      \xe2\x80\xa2       limit access to personnel records subject to the Privacy Act to those employees whose\n              official duties require such access (limitation applies to paper, microfiche/microfilm, and\n              electronic records); and\n      \xe2\x80\xa2       establish procedures to allow employees or their designated representatives access to\n              their own records (procedures should ensure that the records remain subject to the\n              agency\xe2\x80\x99s control at all times).\n\nHR Service Center representatives indicated that the FDIC follows requirements within this\nguide.\n\nWe interviewed officials and observed file room operations for the Headquarters HR Service\nCenter and HR centers in the Dallas and Atlanta regional offices. We identified one area\nwherein the three organizations were not fully complying with OPM guidance. Specifically, the\nthree centers transfer OPFs to the National Personnel Records Center (NPRC) at varying times,\nas shown below, rather than following the OPM-recommended timeframes -- within 90 days of\nthe employee\xe2\x80\x99s separation from federal service, or for a retirement or death, within 120 days, or\nuntil notification that a claim has been processed.\n\n          \xe2\x80\xa2    Headquarters HR Service Center transfers OPFs within 2 months of an employee\xe2\x80\x99s\n               resignation/termination, 6 months following a reduction in force, and 1 year after\n               retirement or death.\n          \xe2\x80\xa2    Atlanta HR center transfers an OPF within 1 year following an employee\xe2\x80\x99s\n               termination, resignation, reduction in force, retirement, or death.\n          \xe2\x80\xa2    Dallas HR center transfers an OPF within 6 months following an employee\xe2\x80\x99s\n               termination, resignation, reduction in force, retirement, or death.\n\n\n13\n     Evaluation Report No. 04-014, XBAT Contracting and Project Management, dated March 26, 2004.\n\n\n\n                                                      18\n\x0cTimely transfers of OPFs to NPRC could help mitigate the risk of access to personal employee\ninformation. We also observed that the contract SOWs for the HR centers in Dallas and Atlanta\ndo not specifically identify OPF file room tasks that should be performed. Further, contractor\nemployees in the headquarters HR Service Center and Dallas HR center were not required to\nsign confidentiality agreements. We concluded that the headquarters HR Service Center, and\nAtlanta and Dallas HR centers, employ varying levels of controls over OPFs as illustrated in\nTable 5.\n\nTable 5: OPF File Room Practices and OIG Observations\n                Contractor-Operated              Confidentiality               Tracking OPFs                 Transmission of\n                  OPF File Rooms                  Agreements                                                Standard Form 75*\n                                                                                                                 (SF-75)\nCriteria        As required in the FDIC\xe2\x80\x99s    The FDIC APM requires        The Washington, D.C.,           The Washington, D.C.,\n                APM, the SOW should          a confidentiality            contract includes the           contract includes the\n                define the work products     agreement when a             requirement to log in and log   requirement to provide\n                that are required and        contract requires the        out OPFs utilizing a            information using SF-75\n                address all the elements     rendering of goods or        barcoding system.               to other federal and\n                necessary for successful     services that are of such                                    non-federal employers\n                performance by the           a nature that the                                            regarding FDIC\n                contractor.                  contractor will receive or                                   employees.\n                                             might have access to\n                                             information of a                                             DOA Washington, D.C.,\n                                             confidential nature, or                                      HRB officials told us that\n                                             where the contractor is                                      DOA expects contractors\n                                             required to work on-site                                     to transmit SF-75s via\n                                             at an FDIC facility.                                         certified mail and a\n                                                                                                          confirmation receipt and\n                                                                                                          identified this practice as a\n                                                                                                          safeguard.\nHQ HR           SOW identifies OPF File      No signed confidentiality    Uses Automated Records          Contractor completes\nService         Room tasks performed.        agreement.                   Management System               SF-75 and faxes to other\nCenter                                                                    (ARMS) through manual           agency. Does not request\n                                                                          keying of SSN in lieu of the    confirmation of receipt.\n                                                                          barcoding system. Also\n                                                                          maintains a manual log\n                                                                          book.\nAtlanta HR      SOW does not identify        Confidentiality agreement    Does not use ARMS. Uses         HR completes form.\nCenter          OPF File Room tasks to       signed by contractor         manual log book and             Contractor mails form to\n                be performed.                employee.                    requires that OPFs be           other agency and\n                                                                          returned to the file room at    signature of recipient is\n                                                                          close of business.              required.\n\n                                                                          Legal staff requires a\n                                                                          management request and\n                                                                          approval to remove an OPF.\nDallas HR       Contract is a GSA            No signed confidentiality    Does not use ARMS.              Contractor is not\nCenter          contract for temporary       agreement.                   Uses an index card placed       responsible for any tasks\n                personnel services.                                       in a pocket of the temporary    relating to the SF-75.\n                SOW identifies the job                                    OPF file.\n                classification of services\n                contracted \xe2\x80\x93 does not\n                identify OPF File Room\n                tasks to be performed.\nOIG             SOW level of detail          Only one contractor          No consistent practice of       Washington, D.C.,\nObservations    varies among the three       employee signed a            checking in/out OPFs.           contractor employees do\n                contracts.                   confidentiality              Washington, D.C.,               not follow the practice of\n                                             agreement.                   contractors do not follow the   transmitting the SF-75 via\n                                                                          SOW requirement of utilizing    certified mail or requesting\n                                                                          the barcoding system for        a confirmation receipt.\n                                                                          checking in/out OPFs.\nSource: Interviews with HR service center staff in headquarters and HR center staff in Atlanta and Dallas and OIG\nobservations and analyses.\n\n* OPM Standard Form 75, Request for Preliminary Employment Data, is used by prospective employers to obtain\npre-employment information about an applicant when the applicant\xe2\x80\x99s OPF is not available for review.\n\n\n\n\n                                                               19\n\x0cThere are opportunities for DOA to strengthen its safeguards for protecting personal employee\ninformation stored in the OPFs. Without strengthening the controls and employing similar\ncontrols over official personnel folders in all HR centers, the FDIC could be more susceptible to\nPrivacy Act violations or not fully complying with OPM guidance.\n\nUnofficial Personnel Files for DOA and CU Employees: Some FDIC divisions also maintain\n\xe2\x80\x9cunofficial personnel files\xe2\x80\x9d (UPF) or \xe2\x80\x9cworking files.\xe2\x80\x9d These files may contain various types of\nrecords with personal employee information including, but not limited to, SSNs, performance\nappraisals, and written notes and memoranda on employee performance. UPFs are included in\nthe FDIC\xe2\x80\x99s UPS SORN, which states that the routine use for files in this system are for the\nemployees\xe2\x80\x99 supervisors\xe2\x80\x99 use in preparing general personnel actions.\n\nWe met with the Administrative Officers (AO) in DOA, DIT, and Division of Supervision and\nConsumer Protection (DSC) to discuss their practices for safeguarding unofficial personnel files.\nDOA maintains unofficial personnel files containing training and personnel information on all\nDOA as well as CU employees. These files contain copies of the employees\xe2\x80\x99 SF-50s14 which\nhave SSNs, and the files are housed in locked filing cabinets in a locked file room. DOA told us\nthat there are few requests to review the working files, and it is unusual to send a working file to\na field office. Usually, employees and managers review the working files in lieu of the OPFs\nbecause of convenience. Although there is limited access to these working files, student interns\nmay have access because they handle filing personnel information. DIT also told us that\nunofficial personnel files are maintained on all DIT employees. The files are stored in locked\nfiling cabinets in a locked file room with access limited to the AO\xe2\x80\x99s staff.\n\nWe learned that DSC no longer maintains UPFs for its employees. In 2002, DSC returned\nthese files to respective DSC employees. DSC told us that it did not see a need for these files\nonce DOA decentralized and maintained OPFs in the regional offices. Also, with the exception\nof the New York Regional Office, each DSC regional office has an AO with access to personal\nemployee information in the FDIC\xe2\x80\x99s Corporate Human Resources Information System (CHRIS)\nand New Financial Environment (NFE) for the AO\xe2\x80\x99s respective organization. Additionally, DOF\ndoes not maintain UPFs for its employees.\n\nThe Privacy Act states that agencies\xe2\x80\x99 systems of records should maintain only information that\nis relevant and necessary to a function that the agency is required to perform. OMB guidance\nstates \xe2\x80\x9cin simplest terms, information not collected about an individual cannot be misused and\nagencies are to assess the relevance and need for personal information \xe2\x80\xa6 whenever any\nchange is proposed in an existing system of records.\xe2\x80\x9d DIT and DOA may find it beneficial to\nassess the need for maintaining UPFs on DIT, DOA, and CU employees and should consider\nadopting DSC\xe2\x80\x99s and DOF\xe2\x80\x99s practices of not maintaining UPFs. Doing so would reduce the\namount of personal information that requires protection.\n\nStudent Interns Continue to Have Access to Personal Employee Information\n\nThe FDIC\xe2\x80\x99s Student Educational Employment Program consists of two components: (1) the\nStudent Temporary Employment Program which enables students to earn a salary and meet\nfinancial obligations while continuing their education, and (2) the Student Career Experience\nProgram which provides students the opportunity to obtain work experience that is directly\n\n14\n  OPM SF-50 (Notification of Personnel Action) constitutes the official notice of a personnel action, including\npromotions, awards, bonuses, pay adjustments, and retirement plan information. The SF-50 contains personal\nemployee information, including the employee\xe2\x80\x99s full SSN.\n\n\n\n\n                                                         20\n\x0crelated to their education and career goals with the possibility of converting to a competitive\nappointment at the completion of the program. The FDIC\xe2\x80\x99s student interns (except for student\ninterns employed by the OIG and the Chairman\xe2\x80\x99s Office) are designated as low-risk positions,\nand are defined as positions involving duties and responsibilities of limited relation to the FDIC\nor a corporate program mission. Low-risk positions are subject to a minimum background\ncheck.15 OIG student intern positions are high risk and subject to a full background investigation.\n\nAs of May 2005, eight interns were working in HRB -- three student interns, four summer\n(student) interns, and one student trainee. Some of the student interns working in HRB had and\ncontinue to have access to personal employee information contained within the FDIC\xe2\x80\x99s human\nresources and payroll systems, computer files included in shared drives, and other sensitive\nhardcopy documents. For example, student interns in HR are responsible for boxing and\nshipping OPFs and merit promotion files, both containing personal employee information,\nincluding SSNs. One of the interns working in HR has open access to SSN information within\nCHRIS and NFC and responsibilities that include shredding HR documents and copying and\ndelivering documents containing personal employee information.\n\nWithout limitations on student interns\xe2\x80\x99 access to personal employee information, the FDIC is at a\ngreater risk that such information could be inappropriately accessed and misused. However, we\nacknowledge that some interns\xe2\x80\x99 duties and responsibilities might require handling personal\nemployee information. In those cases, the FDIC needs to (1) ensure that the student interns\nparticipate in the Corporation\xe2\x80\x99s privacy awareness training courses or (2) expand the scope of\nthe intern\xe2\x80\x99s background check. In addition, the FDIC should include discussions on\nsafeguarding personal employee information in its student intern orientation seminars.\n\nMentoring Contractor Is Being Provided SSNs Without a Business Need\n\nThe FDIC adopted the Corporate Mentoring Program as a permanent corporate-wide program\nin 1999 to support a productive workplace by enhancing employees\xe2\x80\x99 job skills, empowering\nemployees, and promoting good corporate citizenship. The FDIC Mentoring Program seeks to\naccomplish these objectives by helping less experienced employees (mentorees) draw upon the\nexperience and knowledge of more experienced employees (mentors). The FDIC Mentoring\nProgram is open to all employees16 with participation typically limited to a maximum of 200\nemployees (100 mentorees and 100 mentors) for participation in a 1-year program. DOA\nCareer Management Services administers the program.\n\nDuring the annual open enrollment period for the FDIC Mentoring Program, applicants use an\non-line application process to provide personal information such as name and SSN. The\napplication includes the following Privacy Act statement regarding the collection of information:\n\n         The information on this form may be disclosed in accordance with the other\n         \xe2\x80\x9croutine uses of records\xe2\x80\x9d listed in the FDIC\xe2\x80\x99s Unofficial Personnel System,\n         30-64-0015. Your Social Security number (SSN) is requested to ensure record\n         accuracy. Completion of this form is voluntary, but failure to provide the\n         requested information, including your SSN, may result in your registration form\n         not being processed.\n\n\n15\n   Low-risk positions are subject to a National Agency Check (which includes fingerprinting), a credit check, and\ninquiries to prior employers, educational institutions, and law enforcement agencies.\n16\n   Employees must have at least 1 year\xe2\x80\x99s experience with FDIC to participate in the Mentoring Program.\n\n\n\n\n                                                          21\n\x0cDIT developed and maintains DOA\xe2\x80\x99s database storing the information collected for the FDIC\nMentoring Program, including applicants\xe2\x80\x99 SSNs. The database is released to an FDIC\ncontractor that uses the information to develop biographical profiles on the applicants. This\ncontractor has been providing the profiling services to the FDIC since 1999. The contract does\nnot include a Privacy Act reference, confidentiality clause, or a confidentiality agreement.\n\nAccording to DOA officials, in early October 2005, DOA discontinued the practice of including\nSSNs in the information released to the contractor. Specifically, DIT eliminated the SSNs from\nthe mentoring database transmitted to the contractor and replaced the SSNs with different\nidentification numbers.\n\nDOA Career Management Services officials told us that they will consider using a different\nidentifier other than the SSN for the 2007 mentoring program. Until DOA discontinues requiring\nthe SSN in the mentoring program application, DOA risks maintaining employees\xe2\x80\x99 SSNs without\na clear business need.\n\nRecommendations\n\nWe recommend the Director, DOA, in conjunction with the General Counsel, Legal Division:\n\n4. Prepare a standard Privacy Act contract clause for use in all contracts involving Privacy Act\n   information.\n\n5. Modify existing contracts discussed in this report to include specific references to the\n   Privacy Act.\n\n6. Require contracts that involve the electronic transmission of Privacy Act information to\n   include encryption requirements.\n\nWe recommend that the Director, DOA:\n\n7. Require HRB and DOF contractors listed in this report to sign contractor confidentiality\n   agreements.\n\n8. Remind contract specialists that they should not amend contracts or waive contractor\n   confidentiality statement requirements without Legal Division concurrence.\n\n9. Ensure that regional offices employ controls over official personnel files and any other\n   personal employee information that are equivalent to those implemented by DOA\xe2\x80\x99s\n   headquarters Human Resources Branch.\n\n10. Evaluate and determine whether DOA should adopt DSC\xe2\x80\x99s practice of not maintaining\n    Unofficial Personnel Files or \xe2\x80\x9cworking files\xe2\x80\x9d and consider establishing a corporate-wide\n    policy consistent with that practice.\n\n11. Develop corporate guidelines detailing appropriate job tasks that interns should perform,\n    and strengthen controls over interns\xe2\x80\x99 access to sensitive information.\n\n12. Determine whether an employee identification number or other identifier could be used in\n    place of employees\xe2\x80\x99 SSNs in the Career Management Services\xe2\x80\x99 mentoring program\n    database.\n\n\n\n                                                22\n\x0c     FDIC PRACTICES AND INITIATIVES FOR SAFEGUARDING\n     ELECTRONIC PERSONAL INFORMATION\n\nThe FDIC is actively reviewing information within its corporate systems and applications to\ndetermine which applications contain SSNs and employee identification numbers (EIN),\ncollectively referred to as tax identification numbers (TIN), and is developing plans to remediate\nspecific applications. The FDIC has also incorporated privacy questions into its processes for\nassessing the data sensitivity of applications and certifying and authorizing applications for\noperational use. The FDIC completed a Privacy Impact Assessment17 (PIA) of 27 applications\nthat the Corporation has identified as containing TINs and posted the PIAs to the FDIC\xe2\x80\x99s\nexternal Web site. We confirmed that CHRIS and NFE generally use a system-generated EIN,\nas opposed to an SSN, except in very few cases. We also verified that the FDIC limits\nemployee access to SSN data within these systems.\n\nHowever, we noted that the FDIC\xe2\x80\x99s PIA template does not address what opportunities\nindividuals had to decline to provide information or consent to particular uses of information, an\nOMB requirement for agency PIAs. Further, opportunities may exist to impose document-level\ncontrols over electronic files containing Privacy Act information. Finally, contractors and\nvendors who maintain Privacy Act information for the FDIC, but are not connected to the FDIC\xe2\x80\x99s\nnetwork, are not subject to any form of information security review or encryption requirement.\nThese additional enhancements will help to ensure that the FDIC implements sufficient technical\ncontrols over personal employee information.\n\nThe FDIC Has Taken Proactive Steps to Identify Systems Containing SSNs\n\nThe OMB 2005 FISMA reporting instructions include a question related to the number of\ninformation systems containing federally owned information in an identifiable form and whether\nthe agency has conducted a PIA and published SORNs. The FDIC is in the process of\nconducting a two-phased effort to identify SSNs in FDIC applications and in electronic files and\nhardcopy form.\n\nCorporate Data Sharing Initiative: The FDIC began the Corporate Data Sharing initiative in\n1997 to improve the sharing of corporate data assets within the FDIC and between the FDIC\nand financial institutions, the public, and other government agencies. The FDIC Corporate Data\nSharing Steering Committee (CDSSC) is composed of representatives from all divisions and\noffices and sets the strategic direction for corporate data and information planning,\nmanagement, and use. The FDIC has organized its corporate data into groups of related data,\nreferred to as families, such as open institution data, procurement data, and FDIC personnel\ndata. The CDSSC established Collaborative Working Groups (CWG) to manage each data\nfamily, develop descriptions of the data within each family, and establish business rules for the\nconfidentiality, integrity, and availability of data within each family.18 We reviewed the CDSSC\nbusiness rules for the Corporate Personnel Data family, defined as information about FDIC\nemployees, former employees, and candidate employees and found that CDSSC established\nbusiness rules for the confidentiality, integrity, and availability of corporate personnel data.\n\n17\n   A PIA is an analysis of how information is handled (i) to ensure handling conforms to applicable legal, regulatory,\nand policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and\ndisseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate\nprotections and alternative processes for handling information to mitigate potential privacy risks.\n18\n   Circular 1301.3, Data Stewardship Program, dated September 4, 2001.\n\n\n\n\n                                                           23\n\x0cPhase I of the SSN Project: In 2005, the CDSSC tasked the CWGs with assessing the FDIC\xe2\x80\x99s\nuse of TINs. In Phase I of the effort, a small team searched all FDIC databases in the\nEnterprise Data Architecture for data elements that could indicate tax identifier data. The team\nthen associated each data element to dependent application(s) and developed an inventory of\napplications containing TINs. In coordination with the DIT project manager, the team identified\n62 of the FDIC\xe2\x80\x99s 313 applications as candidates that could reference TINs. After further\nanalysis, the team ultimately recommended 26 applications for remediation to secure TINs\nwithin FDIC application systems and corporate databases.19\n\nDIT\xe2\x80\x99s Data Management Section submitted a draft report entitled, Corporate Use of Taxpayer\nIdentification Number Remediation Analysis, dated June 30, 2005, to the CIO. The draft report\nidentified the 25 applications (later increased to 26), potential remediation methods, and cost\nestimates for remediating the applications. According to DIT representatives, the CIO\nconsidered the analysis to be a good first effort but concluded that the scope of the effort\nneeded to be expanded. For example, the Phase I effort did not include NFE or legacy systems\nintegrated with NFE. Further, remediation costs included the initial cost of reprogramming\napplications but may not have included the associated costs of testing the remediated\napplications or changes to business processes resulting from remediation.\n\nApplication Remediation Effort: DIT\xe2\x80\x99s Delivery Management Branch (DMB) group will be\nresponsible for remediating specific applications. A DMB representative indicated that DIT\nwould begin the remediation effort in early September 2005 after DIT had completed its\nreorganization. The representative stated that DMB had not established a time table or\nmilestones for project completion and had not made cost estimates for the remediation effort.\nThe representative also stated that DMB will likely prioritize the list of 26 applications to\nremediate those applications that present the most risk for the Corporation.\n\nPhase II of the SSN Project: In August 2005, the CIO issued a memorandum to division and\noffice directors, announcing the second phase of the SSN effort to collect information about\nelectronic and hardcopy sources within the Corporation. This effort covered those systems that\ncontain sensitive information in, for example, MicroSoft Word documents and Excel\nspreadsheets developed by individual employees or organizational units. The EAB gathered\nthe information through an Internet survey. The CIO requested survey completion by\nSeptember 23, 2005. According to DIT\xe2\x80\x99s October 2005 Monthly Status Report to the Chief\nOperating Officer, all divisions and offices reported their inventory items. The results will be\nanalyzed and provided to the CPO.\n\nThe FDIC Completed Privacy Impact Assessments for Systems Identified as Containing\nSSNs\n\nThe E-Government Act of 2002 provides protection for personal information in government\ninformation systems or information collections by requiring that agencies conduct PIAs. The\nFDIC developed a PIA guide and template in July 2005. According to the Privacy Program\nStatus Report, dated October 31, 2005, DIT had completed PIAs for 27 applications that it\nidentified as containing SSNs. We reviewed the PIA template and the completed PIAs for five\napplications containing personal employee information. We compared the PIA to guidance\ncontained in the E-Government Act and in OMB Memorandum M-03-22, OMB Guidance for\nImplementing the Privacy Provisions of the E-Government Act of 2002, dated\n\n19\n  Remediation could include eliminating data fields within an application that contain SSNs or masking data fields\ncontaining SSNs so that system users are unable to view the SSN.\n\n\n\n\n                                                         24\n\x0cSeptember 26, 2003. With the exception of one item, we concluded that the PIAs addressed\neach of the OMB-required elements as shown in Table 6.\n\nTable 6: OIG Review of Selected PIAs\nDid the PIA \xe2\x80\xa6                   CHRIS         NFE            Training      Electronic    Multi-Tier\n                                                             Server        Travel        Applications\n                                                                           Voucher       Architecture\n                                                                           Processing    Project\n                                                                           System\n                                                                           (ETVPS)\nQ1. Analyze and describe        Yes           Yes            Yes           Yes           Yes\nwhat information was to be\ncollected?\nQ2. Analyze and describe        Yes           Yes            Yes           Yes           Yes\nwhy the information was\nbeing collected?\nQ3. Analyze and describe        Yes           Yes            Yes           Yes           Yes\nthe intended use of the\ninformation?\nQ4. Analyze and describe        Yes           Yes            Yes           Yes           Yes\nwith whom the collected\ninformation was to be\nshared?\nQ5. Analyze and describe        Not in PIA,   Not in PIA,    Not in PIA,   Not in PIA,   Not in PIA, but\nwhat opportunities              but CHRIS     but NFE        Training      but ETVPS     most FDIC\nindividuals had to decline to   Time &        login          Server does   login         employees do\nprovide information or to       Attendance    includes       not include   includes      not access this\nconsent to particular uses of   (T&A) login   notice.        notice.       notice.       system.\ninformation and how             includes\nindividuals could grant         notice.\nconsent?\nQ6. Analyze and describe        Yes           Yes            Yes           Yes           Yes\nhow the information was to\nbe secured (administrative\nand technological controls)?\nQ7. Analyze and describe        Yes           Yes            Yes           No            Yes\nwhether a system of records\nis being created under the\nPrivacy Act?\n\nQ8. Identify what choices     Yes     Yes            Yes                   Yes           Yes\nthe agency made regarding\nan IT system or collection of\ninformation as a result of\nperforming the PIA?\nSource: OMB Memorandum M-03-22 and OIG analysis of selected PIAs.\n\nAs shown, the PIAs that we reviewed did not address question 5. However, systems for three\nof the five PIAs that we reviewed contained the required notice at the system log-in screen. A\nDIT representative agreed to update the PIA template and the completed PIAs to address\nquestion 5.\n\nWe observed that DIT completed PIAs for all of its systems identified as containing TINs. OMB\nM-03-22 indicates that a PIA is not required where information relates to internal government\noperations, such as Web sites, IT systems, or collections of information that do not collect or\nmaintain information in identifiable form about members of the general public. However, OMB\nencourages agencies to conduct PIAs on systems that collect information in identifiable form\n\n\n\n\n                                                        25\n\x0cabout government personnel. A number of the applications for which the FDIC has conducted\nPIAs are internal systems that contain information about FDIC employees, but do not contain\ninformation about the general public.\n\nFDIC Human Resources and Accounting Systems Limit the Use of SSNs\n\nCHRIS, an integrated system that supports all existing FDIC HR functions, is based on the\nFederalized Commercial off-the-Shelf (COTS) HR software solution provided by PeopleSoft.\nCHRIS was implemented corporate-wide through four major releases spanning from\nFebruary 2001 to May 2005, with the latest release, CHRIS T&A, being focused on time and\nattendance functionality.\n\nCHRIS T&A System: The predecessor system to CHRIS T&A, the Corporate Time and\nAttendance Worksheet (CTAW), used employee names and SSNs to ensure record accuracy\nand for identification purposes. In a previous evaluation report issued in October 2000,20 we\nreported that FDIC officials consistently identified CTAW as the area in which employee data\nwas vulnerable, in part, because officials had observed in many instances that CTAW forms,\ncontaining SSNs, were left unattended in either in-boxes or on the desks of employees,\nsupervisors, or timekeepers. As a result, officials believed that these forms could be seen by\nothers who should not have access to this information. At the time of the prior evaluation, FDIC\nofficials were in the process of replacing CTAW with CHRIS T&A and had planned to use a\ndifferent EIN when CHRIS was implemented.\n\nCHRIS T&A replaced CTAW as the FDIC\xe2\x80\x99s T&A system in May 2005. CHRIS T&A is a Web-\nbased, employee self-service system that automates the leave and premium pay request\nprocess, provides an interface with NFE for accounting and cost management data, and is\nbased on a COTS T&A system designed specifically for agencies using NFC payroll processing.\nThe FDIC no longer uses SSNs for its T&A processing and has established unique employee\nidentifiers \xe2\x80\x93 EINs\xe2\x80\x93 to replace SSNs. We reviewed CHRIS and NFC staffing tables and verified\nthat the tables did not include SSNs.\n\nCHRIS HR System: CHRIS HR is a human resources software solution developed in\nPeopleSoft and provides DOA with an integrated system to support existing HR functions.\nCHRIS HR provides employee information to NFE. Although CHRIS HR has SSNs, the FDIC\nhas limited the number of individuals having access to the SSN field in CHRIS HR. We\nreviewed the CHRIS HR Security Administrator User\xe2\x80\x99s Guide and noted that it specified a\nnumber of security requirements for gaining access to the system.\n\nIn 2004, DOA conducted a security review to determine DOA employee access to sensitive\ncomputer systems and data, including CHRIS, and to ensure that the position risk level\ndesignations for employees having access to this information were proper in relation to the\naccess. As a result of this security review, 208 DOA employees with CHRIS access had their\nposition designations upgraded from low risk to moderate risk. Moderate-risk positions undergo\na more extensive background investigation than low-risk positions.\n\nNFE System: In May 2005, the FDIC implemented the NFE, an enterprise-wide, integrated\nsoftware solution to support the financial needs of the FDIC. NFE modernized the FDIC\xe2\x80\x99s\nfinancial systems by implementing PeopleSoft functional modules to support existing business\n\n20\n     Evaluation Report No. 00-006, FDIC\xe2\x80\x99s Information Handling Practices for Sensitive Employee Data, dated\n     October 11, 2000.\n\n\n\n\n                                                          26\n\x0cprocesses, absorbing legacy systems, renovating legacy systems not absorbed by NFE, and\ncoordinating with CHRIS T&A developmental efforts that interoperate with NFE. NFE accesses\nSSNs only through the Payroll Module, which is a part of CHRIS HR, and the SSN is captured\nwhen the record is established for a new employee. The EIN is used at all other times. The\nNFE initiative established the following processes for electronically safeguarding personal\nemployee information:\n\n       \xe2\x80\xa2   NFE interfaces with the ETVPS, Relocation Management System, and Separation\n           Incentive Payment System and automatically converts the SSN to the EIN when printing\n           transaction reports or processing payroll. Two separate user identifications are required\n           to view SSNs in CHRIS HR and NFE. Requests for system access are also subject to\n           supervisory approval. DOF limits access to SSN data and reviews the NFE access\n           levels every 6 months.\n\n       \xe2\x80\xa2   All supplemental payments such as life cycle, petty cash, telephone reimbursements,\n           and examiner/executive payments are coded by EIN and paid through the Payroll\n           Module in lieu of the Accounts Payable Module. With the exception of the W-2s, all\n           supplemental payments are printed out with the EIN instead of the SSN.\n\n       \xe2\x80\xa2   The Payroll Bridge System interfaces with NFE and translates payroll data to create\n           journal entries for the general ledger. The Payroll Bridge System creates files with SSNs\n           and sends information to the Data Warehouse. However, to access data, DOF requires\n           an employee to have two access roles and identification codes.\n\n       \xe2\x80\xa2   ETVPS contains SSNs in electronic form. Truncated SSNs can be seen by a user, but\n           the SSN cannot be printed from ETVPS. DOF has limited the access to the SSNs to\n           nine employees in the Travel Audit Group and Security. DOF performs a semiannual\n           reliability review of the data and a review of the user access levels to the ETVPS data.\n           An employee is required to have an FDIC identification badge to access ETVPS, which\n           contains the employee\xe2\x80\x99s Entrust21 security profile.\n\nIn addition to the security efforts for NFE, DOF also initiated a project in July 2005 related to\naccess control and maintenance of DOF\xe2\x80\x99s shared drive. This project consisted of a review of\nfolders and associated sub-folders in the shared drive by the cognizant DOF manager to ensure\nthat access to the folders and sub-folders is appropriate and that the need for the folder and its\nsub-folders still exists. DOF anticipated completing this project by the end of 2005 and\nestablished a goal to perform this type of review annually.\n\nAREAS FOR IMPROVEMENT \xe2\x80\x93 ELECTRONIC SAFEGUARDS\nOpportunities May Exist to Strengthen Document-Level Controls Over Electronic\nDocuments Containing Privacy Act or Sensitive Information\n\nTypically, organizations secure digital information by using perimeter-based security methods,\nsuch as firewalls, that limit access to a network, and access control lists, that restrict user\naccess to specific data. Organizations may also use encryption and authentication technologies\nand products to help secure e-mail transmissions. Although these methods help to control\naccess to sensitive data, they do not prevent recipients of such data from copying, printing, or\n\n21\n     Entrust is the software that the FDIC uses to encrypt and digitally sign e-mail messages and files.\n\n\n\n\n                                                            27\n\x0cfurther distributing sensitive information. For example, within the FDIC\xe2\x80\x99s network, a recipient of\nan encrypted file may forward the file, unencrypted, to another recipient.\n\nRights Management Services (RMS) is a relatively new technology from Microsoft for use with\nMicrosoft Office 2003 and Windows Server 2003, which augments an organization\xe2\x80\x99s information\nsecurity by providing protection of information through persistent usage policies that remain with\nthe information, regardless of where it is sent. For example, persistent use technologies may:\n\n     \xe2\x80\xa2 Prevent a recipient from copying, printing, saving, editing, or forwarding information to\n       another recipient.\n     \xe2\x80\xa2 Place time limits after which a document cannot be opened.\n     \xe2\x80\xa2 Specify different rights for individual users (e.g., account managers are granted rights to\n       alter or print data, while other users are limited to \xe2\x80\x9cread only\xe2\x80\x9d access).\n\nThe FDIC has instituted a number of effective controls at the system and application level.\nHowever, controls could be strengthened at the document level. RMS technology could provide\na solution to enhance document-specific controls. During an earlier OIG audit of the FDIC\xe2\x80\x99s\ne-mail security,22 we found that the FDIC had limited assurance that employees and contractors\nencrypt sensitive e-mail communications when required. We determined that technical\nshortcomings with the FDIC\xe2\x80\x99s implementation of encryption were a contributing factor for\nemployees not encrypting sensitive e-mail communications. As a result, we recommended that\nDIT evaluate alternative solutions to augment its implementation of encryption for securing\nsensitive e-mail communications, including giving consideration to implementing RMS\ntechnology. In its response, DIT indicated that it was evaluating alternative solutions, including\nRMS, and would have the evaluation completed by November 30, 2005.\n\nA key factor that DIT should consider in its evaluation is the Corporation\xe2\x80\x99s migration to Microsoft\nOffice 2003 subsequent to our e-mail security audit. With this migration, the Corporation is in a\nbetter position to implement RMS. We intend to follow up on this issue by reviewing DIT\xe2\x80\x99s\nevaluation that was prompted by our prior recommendation.\n\nThe FDIC Needs to Require Some Form of Third-Party Security Review for Contractors\nand Vendors That Maintain Personal Employee Information in Electronic Form\n\nThe OMB 2005 FISMA reporting instructions23 include guidance for federal agencies on the\napplicability of FISMA to government contractors. The OMB guidance references Section\n3544(b) of FISMA,24 which requires each agency to provide security for the information and\ninformation systems that support the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source. The OMB guidance\nindicates that agencies must develop policies for information security oversight of contractors\nand other users with privileged access to federal data.\n\nOMB also notes that FISMA requires agencies to provide security protections commensurate\nwith the risk and magnitude of harm resulting from unauthorized access, use, disclosure,\ndisruption, modification, or destruction of information collected or maintained by or on behalf of\n\n22\n   Report No. 05-016, Security Controls Over the FDIC\xe2\x80\x99s Electronic Mail (E-Mail) Infrastructure, dated March 2005.\n23\n   OMB Memorandum M-05-15, FY 2005 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, dated June 13, 2005.\n24\n   The reference to Section 3455(b) is a reference to 44 United States Code \xc2\xa7 3455, which FISMA added to the\nCode.\n\n\n\n\n                                                       28\n\x0cthe agency and for information systems used or operated by an agency or other organization on\nbehalf of an agency. OMB further notes that agencies are fully responsible and accountable for\nensuring that all FISMA and related policy requirements are implemented and reviewed and are\nincluded in the terms of a contract. OMB specifies that agencies must ensure identical, not\n\xe2\x80\x9cequivalent,\xe2\x80\x9d security procedures. For example, annual reviews, risk assessments, security\nplans, control testing, contingency planning, and certification and accreditation must, at a\nminimum, explicitly meet guidance from the National Institute of Standards and Technology.\nAgencies are also responsible for ensuring that contractor personnel receive appropriate\ntraining.\n\nFDIC Contractor Security Guidance: FDIC Circular 1360.17, Information Technology Security\nGuidance for FDIC Procurements/Third Party Products, dated June 30, 2003, establishes a\nframework for incorporating security into all phases of the IT acquisition process and for\nestablishing IT security requirements for third-party providers who wish to provide automated\ndata processing contract services or products to the FDIC. The scope of the circular applies to\ncontractors and others who participate in IT contracting with the FDIC and to non-FDIC products\nand individuals that service, handle, manage, or interface with FDIC data or systems.\n\nAmong other things, the circular requires that connections to all FDIC platforms, operating\nenvironments, and applications be protected to prevent unauthorized access and assure\naccountability and integrity. Additionally, the circular requires security controls for the protection\nof sensitive data to be documented and provided to the contract oversight manager. The\ncircular defines an automated information system as an application of information technology\nthat is used to process, store, or transmit information.\n\nDIT Contractor Security Reviews: Circular 1360.17 requires DIT Information Security Staff\n(ISS) to conduct periodic reviews of third-party servicers and COTS products for compliance\nwith FDIC security policies and standards before, during, and following the period of contract\nperformance or product service to the FDIC.\n\nISS has not performed security reviews of any of the HRB or DOF vendors discussed in Table 4\nof this report. ISS indicated that Circular 1360.17 is intended for contractors who have direct\nconnections to the FDIC\xe2\x80\x99s computer network. None of the contractors shown in Table 4 has\ndirect connections to FDIC\xe2\x80\x99s computer network. ISS also questioned the feasibility of requiring\ncontractors to maintain identical security controls or conducting security reviews at contractors\nthat service multiple federal agencies. ISS noted that contractors with multiple federal clients\ncould be subject to varying degrees of security controls and multiple security reviews by\nindividual agencies. ISS indicated that the federal CIO Council had discussed the\nreasonableness of OMB\xe2\x80\x99s guidance and its repercussions at federal agencies and raised these\nconcerns with OMB.\n\nWe agree that requiring identical security controls and conducting security reviews of\ncontractors that do not have direct connections to the FDIC\xe2\x80\x99s network could be problematic,\nespecially for contractors that work with multiple federal agencies. However, these contractors\ndo maintain FDIC personally identifiable information, and the FDIC should be taking reasonable\nsteps to ensure that contractors have adequate security controls in place commensurate with\nthe risks and magnitude of harm resulting from unauthorized access to the information. We\nconcluded there may be means to obtain assurances of adequate security for contractor-\nmaintained information other than an ISS-performed security review as discussed below.\n\n\n\n\n                                                 29\n\x0cThird-Party Security Reviews: The increased use of technology and third-party service\nproviders has resulted in complex systems and new business processes that increase\nproductivity and efficiency but also increase the risks related to information security and privacy.\nSeveral entities have developed third-party programs to provide independent assurance about\nthe security, availability, processing integrity, on-line privacy, and confidentiality of a contractor\nor service provider\xe2\x80\x99s Web site or computer system. Examples of third-party programs include\nthe Council of Better Business Bureaus\xe2\x80\x99 award seals for on-line privacy and on-line reliability,\nthe American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of\nChartered Accountants (CICA) Trust Services engagements, and the TruSecure Enterprise\nCertification.\n\nAICPA/CICA Trust Services are professional assurance and advisory services based on core\nprinciples and criteria, presented in Table 7, that are designed to address the risks and\nopportunities of information technology. SysTrust and WebTrust are two specific services\ndeveloped by the AICPA/CICA that are based on the Trust Services Principles and Criteria.\nSysTrust engagements provide assurance on the reliability of a computer system, while\nWebTrust engagements provide assurance on an organization\xe2\x80\x99s E-commerce system.\n\nTable 7: AICPA/CICA Trust Services Principles and Criteria\n\n     Security             The system is protected against unauthorized access, both physical and\n                          logical.\n     Availability         The system is available for operation and use as committed or agreed to.\n     Processing           System processing is complete, accurate, timely, and authorized.\n     Integrity\n     Online Privacy\n                  Personal information obtained as a result of E-commerce is collected, used,\n                  disclosed, and retained as committed or agreed to.\n  Confidentiality Information designated as confidential is protected as committed or agreed to.\nSource: AICPA Web site.\n\nEntities meeting Trust Services criteria are eligible to display the SysTrust or WebTrust seal on\ntheir system or Web site to indicate independent verification that an entity\xe2\x80\x99s system meets the\nTrust Services criteria. A Trust Services seal reveals the date the seal was granted and the\ndate it expires, the site\'s business practices and policies, Trust Services Principles and Criteria\nused to examine the site, the report of the independent accountant, and links to other sites with\nactive WebTrust seals.\n\nThe TruSecure25 Enterprise Certification is another form of third-party review and is an\nintegrated, continuous security program that addresses the most significant sources of risk\nacross all the dimensions of an organization, providing security assurance in six major areas of\nrisk: electronic threats and vulnerabilities, malicious code, privacy, physical security, and\nhuman factors. In the TruSecure Enterprise service, TruSecure analysts conduct a number of\nanalyses of an organization\xe2\x80\x99s critical assets and locations. Additionally, the analysts visit a site\nto assess current risk levels and then work with network administrators over a period of time to\ncreate a customized program that meets the company\xe2\x80\x99s business and information security\nneeds. TruSecure analysts repeat the electronic and on-site visits during the course of the\nprogram to ensure recommendations and mitigations have been applied. A Web-based console\nthat ties into a proprietary database at TruSecure\xe2\x80\x99s Security Operations Center keeps track of\ncompliance and creates a \xe2\x80\x9cGuidance Map\xe2\x80\x9d for security administrators to follow in the progress\n\n25\n     TruSecure is a security intelligence and service provider.\n\n\n\n\n                                                             30\n\x0ctoward optimal risk reduction and ultimately, TruSecure Certification. We determined that\nCendant, an FDIC contractor that services the FDIC Relocation Program through its system,\nClient Connect, completed an organizational risk assessment and received the TruSecure\nEnterprise Certification.\n\nMoreover, pending legislation, the Personal Data Privacy and Security Act of 2005 (S.1789),\nwould amend FISMA, Section 3544(b), to require agencies to develop and implement\nprocedures for evaluating and auditing the information security practices of contractors or third\nparty business entities supporting the information systems or operations of the agency involving\npersonally identifiable information and ensuring remedial action to address any significant\ndeficiencies.\n\nSome form of third-party security review would provide the FDIC independent assurance that\ncontractor Web sites and systems contain adequate controls to protect the security,\nconfidentiality, and privacy of FDIC personal employee information. Ideally, the Corporation\ncould require, during the contract solicitation process, that qualified offerors obtain a third-party\nsecurity review and maintain that designation throughout the term of the contract. Requiring a\ncontractor to obtain a single security review that multiple federal agencies or other customers\ncould rely upon would be a more reasonable approach than requiring multiple security reviews\nof a contractor by individual agencies. Requiring a third-party review would also place\nresponsibility on the contractor for demonstrating that it has adequate Web site and system\nsecurity.\n\nFinally, Circular 1360.17, Information Technology Security Guidance for FDIC Procurements/\nThird Party Products, does not address information security expectations and requirements for\ncontractors that maintain Privacy Act or sensitive information (e.g., open bank or procurement\nsensitive information) but that are not directly connected to the FDIC\xe2\x80\x99s network. The circular\nalso lacks encryption requirements for electronic transmissions to these contractors.\n\nRecommendations\n\nWe recommend that the CPO:\n\n13. Revise the PIA template and completed PIAs to include a question pertaining to the\n    opportunities system users have to decline to provide information or to consent to particular\n    uses of information and how system users may grant consent.\n\n14. Research, including discussing with CIO counterparts from other agencies and the OMB,\n    the feasibility, benefits, and costs of requiring that contractors and vendors who are not\n    connected to the FDIC\xe2\x80\x99s network, but who maintain Privacy Act information on behalf of the\n    FDIC, receive some form of third-party information technology security review.\n\n15. Revise FDIC Circular 1360.17, Information Technology Security Guidance for FDIC\n    Procurements/Third Party Products, to include security expectations, including encryption\n    requirements, for contractors and vendors that are not connected to the FDIC\xe2\x80\x99s network but\n    maintain Privacy Act information on behalf of the FDIC.\n\n\n\n\n                                                  31\n\x0c MATTERS FOR FURTHER CONSIDERATION\n\nAdditional Initiatives Could Be Considered for Increasing Controls for\nSafeguarding Personal Employee Information\n\nWe identified several other controls that the FDIC could consider to further heighten awareness\namong corporate employees for safeguarding personal\nemployee information entrusted to them.\n                                                                  Government Security \xe2\x80\x93 The Risks and\n                                                                     Costs of Inadequate Security\nFile Clean-up Days: The FDIC\xe2\x80\x99s policy is that all\nsensitive records, regardless of where they are              Did you know...\nphysically stored, must be destroyed by shredding,\n                                                                 \xe2\x80\xa2   Most information that is shared\npulping, maceration (in the case of computer discs and               unwillingly is done so by leaving\nCDs), or similar manner that prevents access to the                  documents and computers\n                                                                     unattended, even if only for a few\ninformation captured in the disposable files. In                     minutes.\nconforming to corporate policy, DOA\xe2\x80\x99s Corporate\nServices Records Management Unit installed secure                \xe2\x80\xa2   Most trespassing incidents occur\n                                                                     because offices do not keep their\nshredding bins throughout headquarters offices to be                 offices secured, neglect to regularly\nused on an ongoing basis for disposal of sensitive and               change access codes, or choose\n                                                                     unrelated access codes each month.\nconfidential material. The FDIC\xe2\x80\x99s off-site records\nstorage vendor is responsible for periodically replacing         \xe2\x80\xa2   Most breaches of security occur during\nfull bins with empty bins and destroying the sensitive               business hours while other people are\n                                                                     present.\ndocuments off-site. In addition, through the FDIC\xe2\x80\x99s\nnational contract with the off-site records storage          Source: Federal Lock & Safe, Inc. (FedLock).\nvendor, shredding bins are being used throughout the\nDallas and Kansas City offices, including certain smaller area offices.\n\nIn conjunction with these efforts, we suggested to DOA that it consider sponsoring a file clean-\nup day in preparation for the relocation of FDIC employees from various headquarters offices in\ndowntown Washington, D.C., locations to the FDIC\xe2\x80\x99s Virginia Square complex scheduled to take\nplace in early 2006. We envision a file clean-up day to be one wherein employees spend the\nday cleaning files, discarding records no longer needed, and preparing files and documents for\ndisposal by shredding, pulping, or maceration as specified in the FDIC\xe2\x80\x99s policy. Future clean-up\ndays could be scheduled periodically, as needed. DOA officials appeared receptive to this\nsuggestion, especially in light of the pockets of unofficial personnel files -- such as employee\nfolders maintained by supervisors -- that exist in the Corporation.\n\nClean Desk Policy and DOA Walk-Through Monitoring: In Evaluation Report No. 00-006,\nFDIC\xe2\x80\x99s Information Handling Practices for Sensitive Employee Data, dated October 11, 2000,\nwe reported that the FDIC had procedures and practices in place that were designed to prevent\nunauthorized disclosure or access to records or systems to individuals without a business need\nto know. Included in the general practices was the FDIC\xe2\x80\x99s implementation of clean desk\npolicies in some offices to help ensure that sensitive information was not inadvertently left\nunattended. HR officials told us that the clean desk policy was no longer being practiced in their\nrespective groups, but said that other controls, such as limited access to work areas wherein\npersonal employee information is being maintained, were still in place. We suggest that the\nFDIC encourage its corporate managers that routinely handle personal employee information to\nadopt the clean desk policy during non-working hours. We also suggest that DOA periodically\nperform walk-through inspections of its offices and work areas wherein personal employee\n\n\n\n                                                   32\n\x0cinformation is maintained in order to continually monitor the physical safeguards for protecting\nthe sensitive data. For example, DOA representatives could make spot checks of copiers and\ntelefax machines to determine whether documents containing sensitive information are being\nleft unattended and observe the types of documents being discarded in trash cans to ensure\nthat sensitive information is not included.\n\nSending Periodic Reminders to Regional Staff: In November 2004, the HR Associate\nDirector, DOA, sent an electronic message to HR staff in headquarters regarding the protection\nof sensitive personnel information and the need to encrypt messages that contain sensitive\ninformation being sent to FDIC vendors. The message referenced and provided electronic links\nto the following:\n\n   \xe2\x80\xa2   Circular 1310.5, which requires that individual division/office managers establish specific\n       requirements regarding encrypting and digitally-signing electronic messages. The\n       circular also states that electronic messages and attachments containing personnel\n       related actions should be considered for encryption.\n   \xe2\x80\xa2   FDIC guidance and instructions for digital signature and encryption.\n   \xe2\x80\xa2   Circular 1031.1, which provides guidance to employees about the rights provided and\n       the responsibilities imposed by the Privacy Act of 1974.\n   \xe2\x80\xa2   OPM\xe2\x80\x99s The Guide to Personnel Recordkeeping, addresses, in part, security issues\n       regarding the use of personnel records containing sensitive or private information.\n   \xe2\x80\xa2   A list of the types of communications that HR staff have with potential employees,\n       employees on board, OPM, and FDIC organizations, including recommendations for\n       encryption when the information is sent through electronic messages.\n\nWe suggest that DOA periodically update and reissue the information from the November 2004\nelectronic message to HR staff in headquarters and regional offices to maintain awareness.\n\nInforming Employees about the Availability of Security Tips: DIT\xe2\x80\x99s Web page and DOA\xe2\x80\x99s\nSecurity Management Section (SMS) Web page include links to SECURITYsense, a publication\nof the National Security Institute, Inc., an organization established in 1985, which provides a\nvariety of professional information and security awareness services to the federal government\nand private industry. SECURITYsense is a monthly newsletter on information security that\nincludes the latest exploits, vulnerabilities, and tips on using personal computers, personal data,\nand personal information. DIT subscribes to this newsletter. The following are examples of\nsome of the topics discussed in the newsletters:\n\n   \xe2\x80\xa2   Identity Theft: Know the Warnings (October 2005).\n   \xe2\x80\xa2   5 for the Road: Protect Your Laptop (and the Data Inside It) (July 2005).\n   \xe2\x80\xa2   10 Data Security Tips for All Employees (April 2005).\n   \xe2\x80\xa2   10 Ways to Work More Securely (February 2005).\n   \xe2\x80\xa2   Q&A: How Vulnerable is Your Social Security Number? (December 2004).\n   \xe2\x80\xa2   Five ID Theft Tips: More Firms Guarding Employee Data (October 2004).\n   \xe2\x80\xa2   ID Theft and the Workplace: 5 Things You Need to Know (June 2004).\n\nThe National Security Institute, Inc., suggests seven ways for subscribers to deliver\nSECURITYsense to employees:\n\n    1. Post each new issue on the company Web site.\n    2. Electronically mail the monthly contents page to all employees.\n\n\n\n\n                                                33\n\x0c    3.   Publish articles in the company newsletter.\n    4.   Make an attractive poster out of any of these quick-read stories.\n    5.   Create handouts that will actually get read.\n    6.   Reprint content for use in memoranda or bulletins.\n    7.   Create a pop-up window that features an article or tip.\n\nWe suggest that the FDIC publicize to its employees and        Government Security \xe2\x80\x93 The Risks and\n                                                                  Costs of Inadequate Security\ncontractors the availability of SECURITYsense on its\nWeb site and encourage employees and contractors to           Here are some security tips\xe2\x80\xa6\nread the newsletters.\n                                                                  \xe2\x80\xa2   Never leave classified or critical\n                                                                      documents unsecured.\nSMS Physical Security Inspections and Proprietary\nand Cipher Locks: In July 2005, SMS conducted a                   \xe2\x80\xa2   Never leave your office or desk\n                                                                      unsecured.\nphysical security assessment of DOA\xe2\x80\x99s Benefits Center\nand recommended that the Center discontinue using                 \xe2\x80\xa2   Always change combinations on safe\nSSNs in its correspondence and consider adopting the                  locks every year, without fail (it\xe2\x80\x99s the\n                                                                      law for sensitive document storage).\nclean desk policy for its operations. We encourage the\nFDIC to periodically remind its employees about the               \xe2\x80\xa2   Always change combinations on safe\nSMS\xe2\x80\x99 physical security vulnerability assessments and                  locks any time the person who was\n                                                                      the primary user of the safe leaves the\nencourage those organizations that routinely handle                   organization.\npersonal employee information to request an SMS\nassessment.                                                   Source: Federal Lock & Safe, Inc. (FedLock)\n\n\nSMS officials also suggested that FDIC organizations handling personal employee information\nconsider adopting the following best practices with respect to locking devices:\n\n   \xe2\x80\xa2     Periodically change the codes in mechanical pushbutton (cipher/keypad) locks.\n         Although not mandated to do so, SMS changes the codes in its keypad locks when an\n         SMS employee leaves or every 6 months.\n   \xe2\x80\xa2     Replace standard locks on file cabinets and desks with proprietary locks that have keys\n         that cannot be reproduced. A key for a standard lock can be reproduced.\n\n\n\n CORPORATION COMMENTS AND OIG EVALUATION\n\n\nThe Corporation provided a written response dated December 16, 2005 to a draft of this report.\nThe Corporation\xe2\x80\x99s response is presented in Appendix VII (without attachments). The FDIC\nconcurred with the intent of each recommendation and agreed to take corrective action on 12 of\nthe 15 recommendations. For the remaining three recommendations (6, 10, and 11), the FDIC\nindicated, and we concur, that actions taken and/or controls already in place were sufficient and\nthat no further action was warranted. These three recommendations are discussed in more\ndetail below. The FDIC\xe2\x80\x99s written response also included supporting documentation sufficient to\nclose three recommendations (4, 8, and 12). The remaining recommendations (1, 2, 3, 5, 7, 9,\n13, 14, and 15) are resolved but will remain open until we have determined that agreed-to-\ncorrective actions have been completed and are effective. Appendix VIII presents a summary of\nthe Corporation\xe2\x80\x99s response and the status of each recommendation.\n\nRecommendation 6 advised DOA, in conjunction with the Legal Division, to require contracts\ninvolving the electronic transmission of Privacy Act information to include encryption\n\n\n\n                                                34\n\x0crequirements. DOA concurred with the intent of the recommendation but noted that the APM\nplaces responsibility with the program office to identify appropriate security requirements\nthrough the contract SOW. Thus, DOA believes the program office would be in the best position\nto identify whether encryption is necessary. DOA also noted that the APM requires contracts\nsubject to Circular 1360.17, Information Technology Security Guidance for FDIC Procurements/\nThird Party Products, to include IT security and monitoring requirements in the SOW. In\nresponse to recommendation 15, the CPO and DIT agreed to revise Circular 1360.17 to\nenhance guidance provided to contractors that are not connected to the FDIC\xe2\x80\x99s network but that\nmaintain Privacy Act information on behalf of the FDIC. We consider DOA\xe2\x80\x99s response, along\nwith DIT\xe2\x80\x99s plans to revise Circular 1360.17, sufficient to close the recommendation.\n\nRecommendation 10 advised DOA to evaluate and determine whether DOA should adopt\nDSC\xe2\x80\x99s practice of not maintaining Unofficial Personnel Files or \xe2\x80\x9cworking files\xe2\x80\x9d and consider\nestablishing a corporate-wide policy consistent with that practice. DOA responded that it had\nevaluated its practices and decided to continue to maintain these files. DOA indicated that\nUPFs provide a means for employees and supervisors to readily access information on a\nregular basis and likely reduce the volume of requests for access to OPFs and, thus, reduce the\npossibility of compromising OPFs. DOA noted that it had complied with the notice requirements\nof the Privacy Act and that UPFs were adequately secured. DOA also indicated that it had\nconsidered the need for a corporate-wide policy, and determined that one was not needed at\nthis time. While we continue to question the need for UPFs, DOA made a good faith effort to\nevaluate its practices and the need for a corporate-wide policy, and provided a sufficient basis\nfor not taking corrective action. Therefore, we consider DOA\xe2\x80\x99s actions sufficient to close the\nrecommendation.\n\nRecommendation 11 advised DOA to develop corporate guidelines detailing appropriate job\ntasks that interns should perform and strengthen controls over interns\xe2\x80\x99 access to sensitive\ninformation. DOA concurred with the intent of the recommendation but responded that proper\ncontrols are in place over student and intern access to sensitive information. DOA noted that\n(1) all students and interns employed in HRB are required to complete FDIC\xe2\x80\x99s privacy\nawareness training, (2) supervisors are responsible for discussing the safeguarding of personal\nemployee information with their students and interns and monitoring their use of encryption\nwhen sending personal employee information via e-mail, and (3) students and interns hired as\nyear-round employees, as well as summer interns who return to work with the FDIC, undergo\nthe same background investigations as other HRB employees. DOA also pointed out that the\nnature of tasks assigned to interns and students, such as opening mail, make it impossible to\nemploy students and interns in HRB without exposing them to personal employee information.\nWe encourage DOA to continue to seek opportunities to raise awareness and to limit students\xe2\x80\x99\nand interns\xe2\x80\x99 access to personal information. However, the controls that DOA described in place\nover that access, if effectively implemented, appear to provide reasonable safeguards.\nTherefore, we consider management\xe2\x80\x99s response sufficient to close the recommendation.\n\n\n\n\n                                              35\n\x0c                                                                                    APPENDIX I\n\n\n\nObjective, Scope, and Methodology\nWe performed this evaluation at the request of the Director, DOA, who asked that the OIG\nevaluate the Corporation\xe2\x80\x99s procedures for handling personal employee information. This DOA\nrequest was in response to a security breach involving unauthorized access to personal\ninformation on a large number of current and former FDIC employees. The objective of our\nreview was to evaluate the FDIC\xe2\x80\x99s policies, procedures, and practices for safeguarding personal\nemployee information in hardcopy and electronic forms. This evaluation does not address other\ntypes of confidential or sensitive information such as open bank, depositor, or procurement\nsensitive information.\n\nWe performed our evaluation from July 2005 through October 2005 in accordance with\ngenerally accepted government auditing standards. We performed field work in DOA, DIT,\nDOF, and the Legal Division located in Washington, D.C. In addition, we performed field work,\nin the Atlanta and Dallas DOA regional offices to evaluate the safeguards over maintaining and\nstoring employee OPFs.\n\nTo accomplish our objective, we performed the following:\n\n   \xe2\x80\xa2   Identified criteria used to establish the definition of personally identifiable information.\n   \xe2\x80\xa2   Reviewed relevant criteria, including, but not limited to, the Privacy Act of 1974;\n       E-Government Act of 2002; Section 522 of the Transportation, Treasury, Independent\n       Agencies, and General Government Appropriations Act, 2005; and OMB Circular\n       No. A-130, Management of Federal Information Resources, Appendix I, Federal Agency\n       Responsibilities for Maintaining Records on Individuals. Appendix II contains an\n       overview of applicable laws and regulations.\n   \xe2\x80\xa2   Reviewed privacy awareness information regarding the Risk Mitigation Project Team\xe2\x80\x99s\n       recommendations to the CIO Council for safeguarding sensitive electronic information.\n   \xe2\x80\xa2   Interviewed Legal Division\xe2\x80\x99s FOIA-Privacy Act Group to gain an understanding of the\n       FDIC\xe2\x80\x99s long-standing privacy program and continued coordination efforts since\n       appointment of the CPO, continuous efforts to publish and update the FDIC\xe2\x80\x99s SORNs,\n       and efforts to perform OMB A-130 reviews of identified SORNs.\n   \xe2\x80\xa2   Reviewed the FDIC Privacy Act SORNs that contained personal employee information.\n   \xe2\x80\xa2   Reviewed the draft revised FDIC Privacy Act Circular and the Legal Division\n       memorandum regarding roles and responsibilities of the CPO.\n   \xe2\x80\xa2   Discussed the status of activities and initiatives related to development of a\n       comprehensive privacy program for the Corporation.\n   \xe2\x80\xa2   Reviewed the FDIC\xe2\x80\x99s PIA template and the PIA completed for CHRIS. Confirmed that\n       PIAs had been completed on the 27 applications that DIT has identified thus far as\n       containing sensitive personal information in order to meet FISMA reporting\n       requirements.\n   \xe2\x80\xa2   Obtained an overview from DOA\xe2\x80\x99s senior management of HR\xe2\x80\x99s policies, procedures, and\n       practices for safeguarding personal employee information electronically and in hardcopy.\n   \xe2\x80\xa2   Discussed HRB practices regarding safeguarding OPFs and other HR processing that\n       involves personal employee information.\n   \xe2\x80\xa2   Observed the operations of the Washington, D.C.; Atlanta; and Dallas OPF file rooms.\n   \xe2\x80\xa2   Discussed policies, procedures, and practices for safeguarding personal employee\n       information obtained through background investigations and other background checks,\n       investigations of employee misconduct and performance problems, recruitment and\n       career management services, and records management.\n\n\n\n                                               36\n\x0c                                                                                    APPENDIX I\n\n\n\n   \xe2\x80\xa2   Analyzed DOA\xe2\x80\x99s ASB practices relating to safeguarding personal employee information\n       to which FDIC contractors and vendors have access and identified the specific\n       contractors with access.\n   \xe2\x80\xa2   Assessed encryption requirements for transmission of sensitive information from HRB to\n       vendors and/or contractors.\n   \xe2\x80\xa2   Assessed the FDIC\xe2\x80\x99s use of student interns involved in processes containing employee\n       personal information and their access to sensitive information as well as the FDIC\xe2\x80\x99s risk\n       designation for the intern position.\n   \xe2\x80\xa2   Reviewed the FDIC APM to identify provisions related to confidentiality agreements and\n       the Privacy Act and reviewed selected contract files to determine whether appropriate\n       provisions and clauses related to privacy and confidentiality agreements were included.\n   \xe2\x80\xa2   Assessed DIT\xe2\x80\x99s efforts to identify systems and applications containing personal\n       employee information.\n   \xe2\x80\xa2   Discussed the status of the SSN project and efforts to limit use or mask SSNs in existing\n       applications.\n   \xe2\x80\xa2   Met with OIG contractor, KPMG LLP, to discuss the FDIC\xe2\x80\x99s responses to the FISMA\n       Section D questions relating to the privacy program.\n\nValidity and Reliability of Performance Measures\n\nWe reviewed the FDIC\xe2\x80\x99s performance measures under the Government Performance and\nResults Act, the Corporate Performance Objectives (CPO), and the FDIC\xe2\x80\x99s annual performance\nplan (APP). We determined that the 2005 CPOs and APP did not include an initiative relating to\nits privacy program.\n\nReliability of Computer-based Data\n\nWe identified and relied on some computer-based data pertaining to the following systems that\nDOA, DOF, and DIT identified as containing personal employee information (CHRIS, NFC,\nDigital Library\xe2\x80\x99s CEFile, ARMS, and ETVPS). However, we did not test the reliability of\ncomputer-based data extracted from these automated systems because our evaluation\nobjective did not require determining the reliability of computer-based data obtained from the\nsystems.\n\nInternal Controls\n\nWe gained an understanding of relevant control activities by reviewing (1) FDIC\xe2\x80\x99s policies,\nprocedures, and practices for safeguarding personal employee information in hardcopy and\nelectronic form, and (2) assessing FDIC\xe2\x80\x99s initiatives to enhance its privacy program. To gain\nthis understanding, we interviewed the CPO, Privacy Program Manager, Privacy Act Clearance\nOfficer, and individuals in DOA, DOF, DIT and the Legal Division involved in protecting and\nsecuring personal employee information. The finding sections of the report contain\nrecommendations to strengthen certain policies and procedures, practices, and guidance.\n\nFraud and Illegal Acts\n\nThe nature of our evaluation objective did not require that we assess the potential for fraud and\nillegal acts. However, throughout the evaluation, we were alert to the potential for fraud and\nillegal acts, and no instances came to our attention.\n\n\n\n\n                                               37\n\x0c                                                                                     APPENDIX II\n\n\n\nOverview of Applicable Laws and Regulations Related to Privacy\nLaw                          Description\nPrivacy Act of 1974          Provides specific guidance to federal agencies on the control and\n                             release of agency records that relate to individuals. The Act\n                             establishes safeguards for the protection of records the federal\n                             government collects and maintains on individuals.\n\nE-Government Act of 2002     Establishes a broad framework of measures requiring use of Internet-\n                             based information technology to enhance citizen access to\n                             government information and increase citizen participation; improve\n                             government efficiency and reduce government costs; and promote\n                             interagency collaboration in providing electronic government services\n                             to citizens and the use of internal electronic government processes to\n                             improve efficiency and services provided. Section 208 of the Act\n                             includes procedures to ensure the privacy of personal information in\n                             electronic records, including agency preparation of PIAs relative to\n                             agency information systems.\n\nThe Federal Information      Provides a comprehensive framework for agencies to secure federal\nSecurity Management Act of   information and assets. This Act is Title III of the E-Government Act\n2002 (FISMA)                 of 2002.\nSection 522 of the           Requires federal agencies to designate a CPO to carry out duties\nTransportation, Treasury,    relating to privacy and protection of personal information collected\nIndependent Agencies, and    and used by federal agencies. The requirements include\nGeneral Government           safeguarding information systems from intrusions, unauthorized\nAppropriations Act, 2005     disclosures, and disruption or damage.\n\nPaperwork Reduction Act of   Generally requires federal agencies to manage information resources\n1995                         efficiently, effectively, and economically. The Act provides OMB with\n                             broad authority to oversee federal agency information resources and\n                             policy, including the privacy, confidentiality, security, disclosure, and\n                             sharing of information.\n\nOMB Circular No. A-130       Establishes policies for federal agencies for the management of\n                             federal information resources, including automated information\n                             systems. Appendix I of the circular specifically covers agency\n                             responsibilities for implementing the reporting and publication\n                             requirements of the Privacy Act.\n\n\n\n\n                                             38\n\x0c                                                                                                          APPENDIX III\n\n\n\nResponsibilities of the Chief Privacy Officer\n           General Policies                            Reporting                        Other Specific Tasks\n                                                      Requirements\n\xe2\x80\xa2   Overall agency responsibility for      \xe2\x80\xa2    Annual Report to the               \xe2\x80\xa2    Establish and implement\n    establishing, implementing, and             Congress on activities                  comprehensive privacy and data\n    administering privacy and data              relating to privacy.                    protection procedures regarding the\n    protection procedures and                                                           security of personally identifiable\n    policies for personally                                                             information.\n    identifiable information.              \xe2\x80\xa2    Privacy Impact Assessments.\n\n                                                                                   \xe2\x80\xa2    Prepare a written report for the\n\xe2\x80\xa2   Ensuring that privacy is               \xe2\x80\xa2    Annual Report to OMB on                 Inspector General, signed by the\n    sustained, and not eroded, by               security and privacy under              CPO, of the FDIC\xe2\x80\x99s use of\n    new and emerging technologies               FISMA.                                  personally identifiable information,\n    relating to the use, collection,                                                    along with the established policies\n    and disclosure of personally                                                        and procedures.\n    identifiable information.              \xe2\x80\xa2    Biennial Report to OMB on\n                                                computer matching.\n                                                                                   \xe2\x80\xa2    Ensure that an independent third-\n\xe2\x80\xa2   Ensuring compliance with the                                                        party review of the agency\xe2\x80\x99s privacy\n    Privacy Act, other privacy-            \xe2\x80\xa2    Reports to OMB and the                  policies and practices is conducted\n    related laws that apply to the              Congress on new or altered              at least every 2 years.\n    FDIC, and established agency                systems.\n    policies and procedures on\n    privacy and data protection.                                                   \xe2\x80\xa2    Post privacy policies on the FDIC\xe2\x80\x99s\n                                                                                        Web site.\n\n\xe2\x80\xa2   Assisting in the design of\n    employee training programs to                                                  \xe2\x80\xa2    Ensure that information that is\n    promote awareness and                                                               retrievable by an individual identifier\n    compliance with the agency\xe2\x80\x99s                                                        is collected, maintained, and\n    established privacy policies.                                                       protected to preclude unwarranted\n                                                                                        disclosure of personal information.\n\n\xe2\x80\xa2   Overseeing, coordinating, and\n    facilitating FDIC\xe2\x80\x99s compliance                                                 \xe2\x80\xa2    Ensure that appropriate and\n    efforts and ensuring the                                                            adequate safeguards are\n    Corporation\xe2\x80\x99s privacy                                                               established to protect records\n    procedures are comprehensive                                                        containing personally identifiable\n    and up-to-date.                                                                     information from unauthorized\n                                                                                        access and disclosure.\n\n\xe2\x80\xa2   Ensuring central policy-making\n    role in the FDIC\xe2\x80\x99s development                                                 \xe2\x80\xa2    Review agency Privacy Act training\n    and evaluation of legislative,                                                      (every 2 years).\n    regulatory, and other policy\n    proposals implicating\n    information issues.\n                                                                                   \xe2\x80\xa2    Review routine use disclosures for\n                                                                                        each system of records to ensure\n                                                                                        the recipient\xe2\x80\x99s use of records is\n                                                                                        compatible with the purpose for\n                                                                                        which the agency collects\n                                                                                        information (every 4 years).\nSource: The FDIC\xe2\x80\x99s Legal Division Memorandum regarding Responsibilities of the Chief Privacy Officer.\n\n\n\n\n                                                              39\n\x0c                                                                                                           APPENDIX IV\n\n\n\nDefinitions for Privacy Act and Other Forms of Sensitive Information\nFDIC Circular 1031.1 (Currently under revision.)\nThe Privacy Act of 1974: Employee Rights and Responsibilities (March 29, 1989)\nCircular cites the Privacy Act of 1974 definition of a \xe2\x80\x9crecord\xe2\x80\x9d which is any item, collection, or grouping of information\nabout an individual that is maintained by an agency, including, but not limited to, his or her education, financial\ntransactions, medical history, and criminal or employment history and that contains his or her name, or the identifying\nnumber (such as a SSN), symbol, or other identifying particular assigned to the individual, such as a finger or voice\nprint or a photograph.\nOMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, Attachment A,\nSection II.A.2\nGuidance includes the term \xe2\x80\x9cinformation in identifiable form,\xe2\x80\x9d which is information in an IT system or online collection:\n(i) that directly identifies an individual (e.g., name, address, SSN or other identifying number or code, telephone\nnumber, e-mail address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other\ndata elements, i.e., indirect identification. These data elements may include a combination of gender, race, birth date,\ngeographic indicator, and other descriptors.\nDIT Guidance: 10 Tips to Protect IT Resources\nGuidance includes a non-exhaustive list of data and documents deemed to be \xe2\x80\x9csensitive data.\xe2\x80\x9d The list includes\ncustomer data, examination and enforcement data, legal documents, personnel data, assessment data, and resolutions\nand receivership data.\nFDIC Circular 1310.5, Encryption and Digital Signatures for Electronic Mail\nGuidance states e-mails and attachments that contain information of a private or sensitive nature that are transmitted\nover unsecured communications, such as the Internet, shall be encrypted and possibly include a digital signature.\nEmail and attachments containing sensitive information such as personnel-related actions should be considered for\nencryption.\nOPM Operating Manual: The Guide to Personnel Record Keeping\nManual defines the term \xe2\x80\x9crecord\xe2\x80\x9d as all papers, maps, photographs, machine-readable materials or other\ndocumentation, regardless of physical form, made or received by the Government in connection with the transaction of\npublic business and preserved as evidence of decisions, operations, or other activities of the Government. The manual\nstates that the Privacy Act of 1974, as amended (5 U.S.C. 552a) applies to records under the control of an agency\nabout an individual, such as an employment history, that contain the individual\xe2\x80\x99s name or some other item that identifies\nthat person and from which information is retrieved by the name or other particular assigned to the individual. Agencies\nmust ensure that personnel records subject to the Privacy Act are secured against unauthorized access. Access to\npersonnel records subject to the Privacy Act should be limited to those whose official duties require such access.\nAgencies should establish procedures to allow employees or their designated representatives access to their own\nrecords. Agencies must ensure that those authorized to access personnel records subject to the Privacy Act\nunderstand how to apply the Act\xe2\x80\x99s restrictions on disclosing information from systems of records.\nFDIC Web Privacy Guide\nGuide cites personal information (or personally identifiable information) as any data that identifies an individual.\nExamples of personal information gathered from the definitions found in pending legislation are: name, e-mail address,\nhome address, other physical address, telephone number, SSN, birth date, place of birth, birth certificate number, any\nother data that identifies an individual, and any other information that is maintained with, or can be searched or\nretrieved by means of, any other data in this list.\nDIT Policy Memo, Cookies in Internet Products\nPersonal identifying information is defined for the purposes of Privacy Act issues in FDIC\xe2\x80\x99s Circular 1031.1, The Privacy\nAct of 1974: Employees Rights and Responsibilities. The following examples of personal identifying information have\nbeen gleaned from recent laws, regulations, and proposed legislation addressing online privacy: names, home and\nother physical addresses, telephone numbers, e-mail addresses, SSNs, any other identifier that permits the physical or\nonline contacting of a specific individual, and any information that is maintained with, or can be searched or retrieved by\nmeans of data described in this definition.\nGuidance on Identifying Sensitive and Confidential Information (Prepared by FDIC\xe2\x80\x99s Ethics Section)\nGuidance lists the general type of information that is considered to be sensitive and confidential information, regardless\nof whether the information is in a hardcopy document or an automated document and that may not be disclosed unless\nspecifically authorized by law. The list includes employee personnel records that consist of all current and former FDIC\nemployees and applicants to and graduates of the FDIC Upward Mobility Program. The guidance contains an\nextensive detailed list of information which may not be released including, for example, individuals\xe2\x80\x99 birth date, SSN,\nhome address and telephone number, emergency contacts, employment and education experience, record of leave\nand time-and-attendance, performance appraisals; written notes or memoranda on employee performance; records\nrelating to on-the-job training; data documenting reasons for personnel actions, decisions, or recommendations made\nabout an employee; and documents related to on-the-job injuries.\nFDIC Privacy Program Web site (external)\nWeb site references FDIC\xe2\x80\x99s Privacy Act regulations, which include the definition of a record as any item, collection, or\ngrouping of information about an individual that contains his or her name, or the identifying number, symbol, or other\nidentifying particular assigned to the individual. Web site also references personally identifiable information,\ninformation on individuals, and personal information, but does not provide a definition for these terms.\n\n\n\n\n                                                              40\n\x0c                                                                                                     APPENDIX V\n\n\n\nFDIC Systems of Records Containing Personal Employee Information\n  Number               Title           Location                 Storage                        Safeguards\n  30-64-0001       Attorney\xe2\x80\x94           Legal                Paper format in          Records are maintained in lockable\n                   Legal Intern        Division             individual file          metal file cabinets accessible only by\n                   Applicant                                folders in cabinets      authorized personnel.\n                   Records\n  30-64-0003       Administrative      Office of the        Electronic media,        Electronic files are password-\n                   and Personnel       Executive            microfilm, paper         protected and accessible only by\n                   Action Records      Secretary            format within            authorized personnel. Paper format\n                                                            individual file          documents are stored in lockable\n                                                            folders, minute          metal file cabinets or vault accessible\n                                                            book ledgers, and        only by authorized personnel.\n                                                            index cards\n  30-64-0006       Employee            Component            Electronic media         Electronic files are password-\n                   Confidential        divisions,           and paper format         protected and accessible only by\n                   Financial           offices, and         within individual file   authorized personnel. Paper format\n                   Disclosure          regional             folders                  copies are maintained in lockable file\n                   Records             offices.                                      cabinets.\n  30-64-0007       Employee            DOA                  Electronic media         Electronic files are password-\n                   Training                                 and in paper format      protected and accessible only by\n                   Information                              within individual file   authorized personnel. Paper records\n                   Records                                  folders                  within individual file folders are\n                                                                                     maintained in lockable metal file\n                                                                                     cabinets accessible only by\n                                                                                     authorized personnel.\n  30-64-0010       Investigative       OIG                  Electronic media         Electronic files are password-\n                   Files of the                             and paper format in      protected and accessible only by\n                   Office of the                            individual file          authorized personnel and file folders\n                   Inspector                                folders                  are maintained in lockable file\n                   General                                                           cabinets and lockable offices with\n                                                                                     access only by authorized personnel.\n  30-64-0011       Corporate           DOA                  Electronic media         Password protected and accessible\n                   Recruitment                                                       only by authorized personnel.\n                   Tracking                                                          Network servers are located in a\n                   Records                                                           locked room with physical access\n                                                                                     limited to only authorized personnel.\n  30-64-0012       Financial           DOF                  Electronic media         Electronic files are password-\n                   Information                              and paper                protected and accessible only by\n                   Management          Legal                format/record cards      authorized personnel. Paper\n                   Records             Division             in individual file       documents are maintained in\n                                                            folders                  lockable metal file cabinets.\n  30-64-0015       Unofficial          To be                To be revised at a       To be revised at a later date.\n                   Personnel           revised at a         later date.\n                   System              later date.\n  30-64-0017       Employee            Health Unit,         Electronic media         Electronic files are password-\n                   Medical and         Main                 and paper format         protected. Paper format records are\n                   Health              Building,                                     stored in lockable file cabinets with\n                   Assessment          Virginia                                      limited access.\n                   Records             Square, and\n                                       regions\n  30-64-0018       Grievance           DOA                  Electronic media or      Electronic files are password-\n                   Records                                  paper format in          protected. Paper records are stored\n                                                            individual files         in lockable file cabinets with limited\n                                                                                     access.\n  30-64-0020       Telephone Call      DIT                  Electronic media         Password-protected and accessible\n                   Detail Records                                                    only by authorized personnel.\n  30-64-0021       Fitness Center      Fitness              Paper format within      Records are kept in lockable file\n                   Records             Center               individual file          cabinets with limited access.\n                                                            folders\n\nSource: FDIC Rules and Regulations, Part 310.\n\n\n\n\n                                                       41\n\x0c                                                                                                    APPENDIX VI\n\n\n\nTypes of Information Maintained in the Unofficial Personnel System SORN\n    Categories of Records in the System\n\n 1.   Information on Individuals relating to:\n      \xe2\x80\xa2   Birth date, SSN, emergency contacts, addresses and telephone numbers.\n      \xe2\x80\xa2   Employment and education experience.\n      \xe2\x80\xa2   Original applications, r\xc3\xa9sum\xc3\xa9s and letters of reference.\n      \xe2\x80\xa2   Record of material and equipment issued to individual.\n      \xe2\x80\xa2   Records of leave and time and attendance.\n      \xe2\x80\xa2   Performance appraisals, written notes or memoranda on employee performance, counseling.\n      \xe2\x80\xa2   Employee assignments, list of banks examined.\n      \xe2\x80\xa2   On-the-job training records.\n      \xe2\x80\xa2   Data documenting reasons for personnel actions, decisions, and recommendations made about the\n          employee and disciplinary and adverse action backup material.\n      \xe2\x80\xa2   Claims for benefits under the Civil Service Retirement system.\n      \xe2\x80\xa2   Federal Employees Group Life Insurance and documents related to on-the-job injuries.\n\n 2.   Parking Permit Records containing information (name, address, and type of automobile) about FDIC\n      employees who have applied for a parking permit in the FDIC Washington office garage.\n\n 3.   FDIC Personnel Awards, including information supporting the employee\xe2\x80\x99s nomination for one of these\n      awards.\n\n 4.   Dental Insurance Records, including information on earnings, number and name of dependents, sex,\n      birth date, home address, and SSN.\n\n 5.   Employee Locator Records containing employee\xe2\x80\x99s name, SSN, division or office assignment, office\n      telephone number, and office room number.\n\n 6.   Upward Mobility Files coordinated by the FDIC Office of Personnel Management.\n\n 7.   FDIC Savings Plan Records containing the employee\xe2\x80\x99s name, SSN, grade, salary, home address, and\n      birth date; record of employee contributions and FDIC contributions to investment funds, account earnings\n      and balance; participant-designated beneficiaries; date of participation; indication as to whether a\n      participant\xe2\x80\x99s interest is vested; allocation of contributions to investment funds; documentation for reason of\n      hardship withdrawal and amount of withdrawal request (including documents evidencing purchase of\n      primary residence, proposals to evict from, or foreclose on the mortgage of, a participant\xe2\x80\x99s primary\n      residence, education expenses, medical expenses, and other acceptable financial hardship);\n      documentation to support participation in the FDIC Savings Plan Loan Program; and personal financial\n      statement.\n\n\n\n\n                                                         42\n\x0cAppendix VII\n\x0c     APPENDIX VII\n\n\n\n\n44\n\x0c     APPENDIX VII\n\n\n\n\n45\n\x0c     APPENDIX VII\n\n\n\n\n46\n\x0c     APPENDIX VII\n\n\n\n\n47\n\x0c     APPENDIX VII\n\n\n\n\n48\n\x0c     APPENDIX VII\n\n\n\n\n49\n\x0c     APPENDIX VII\n\n\n\n\n50\n\x0c     APPENDIX VII\n\n\n\n\n51\n\x0c                                                                                                                   APPENDIX VIII\n\n\n\nManagement Response to Recommendations\nThis table presents the management response to the recommendations in our report and the status of the recommendations as of the date\nof report issuance.\n\n\n Rec.                                                                             Expected             Monetary   Resolved:a   Open or\n                Corrective Action: Taken or Planned/Status\nNumber                                                                          Completion Date        Benefits   Yes or No    Closedb\n\n          The Corporation will conduct a comprehensive review of\n   1      existing directives, policies, and Web sites and will develop and    September 15, 2006         $0         Yes        Open\n          issue an overarching privacy policy, if necessary.\n          The Corporation is conducting a comprehensive review of the          Preparation of draft\n   2      current UPS SORN to ensure that personal information is              SORN by\n          handled in full accord with privacy law and policy. A draft of the   March 31, 2006.\n                                                                                                          $0         Yes        Open\n          revised SORN will be prepared and will be subject to approval        Publication in the\n          by the Board of Directors prior to publication in the Federal        Federal Register by\n          Register.                                                            September 15, 2006.\n          The Corporation is conducting a review of the current UPS\n          SORN, which will include a thorough reexamination of the\n          purposes, routine uses, and security requirements of each            Draft of new SORN, if\n          group of records covered by the SORN. The review is                  necessary, by\n   3                                                                                                      $0         Yes        Open\n          designed to ensure that all groups of records are evaluated to       March 31, 2006\n          determine whether they continue to be compatible and\n          appropriately combined. A draft of any new SORN(s) will be\n          prepared, if determined by the review.\n          DOA, in conjunction with the Legal Division, has developed a\n          standard Privacy Act contract clause and has incorporated the\n   4      clause into its Standard Documents and the General                   Completed                  $0         Yes       Closed\n          Provisions.\n          ASB will modify the existing contracts discussed in this report.\n   5      The modifications will contain the newly developed Privacy Act       January 31, 2006           $0         Yes        Open\n          and confidentiality requirements.\n\n\n\n\n                                                                        52\n\x0c                                                                                                              APPENDIX VIII\n\n\n\n Rec.                                                                            Expected         Monetary   Resolved:a   Open or\n               Corrective Action: Taken or Planned/Status\nNumber                                                                         Completion Date    Benefits   Yes or No    Closedb\n\n         DOA concurred with intent of the recommendation but indicated\n         that the program office was in the best position to identify those\n  6      contracts with encryption requirements and noted that the APM        Not Applicable         $0         Yes       Closed\n         requires contractors subject to Circular 1360.17 to include IT\n         security and monitoring requirements in the SOW.\n         DOA will modify the contracts identified in this report to include\n  7      confidentiality clauses.                                             January 31, 2006       $0         Yes        Open\n\n         ASB held several training/discussion sessions with ASB staff\n         and issued an e-mail reminder that contract specialists do not\n  8      have the authority to waive confidentiality statement                Completed              $0         Yes       Closed\n         requirements without the Legal Division\xe2\x80\x99s concurrence.\n         HRB will issue a memorandum to all regional offices instructing\n         the regions to: (1) specify in the SOW for the contractor-\n  9      operated OPF file rooms the tasks to be performed; (2) ensure        December 16, 2005      $0         Yes        Open\n         that contractors sign confidentiality agreements; and (3) use the\n         ARMS to consistently check OPFs in and out.\n         DOA management evaluated DSC\xe2\x80\x99s practice of not maintaining\n         UPFs and the need for establishing a corporate-wide policy.\n  10     DOA determined a need to continue maintaining these files and        Not Applicable         $0         Yes       Closed\n         that a corporate-wide policy was not needed at this time.\n         DOA concurred with the intent of the recommendation but\n         responded that proper controls are in place over student and\n  11                                                                          Not Applicable         $0         Yes       Closed\n         intern access to sensitive information. DOA\xe2\x80\x99s written response\n         detailed examples of those controls.\n         DOA eliminated the entry of employees\xe2\x80\x99 SSNs in the Career\n         Management Services\xe2\x80\x99 mentoring program database as of\n         October 2005. All further databases transmitted to the\n  12     contractor will use the CHRIS identification numbers rather than     Completed              $0         Yes       Closed\n         the SSNs. In addition, mentoring program applications for all\n         future mentoring classes will request CHRIS identification\n         numbers rather than SSNs from the applicants.\n\n\n\n\n                                                                        53\n\x0c                                                                                                                      APPENDIX VIII\n\n\n\n Rec.                                                                           Expected             Monetary       Resolved:a      Open or\n                 Corrective Action: Taken or Planned/Status\nNumber                                                                        Completion Date        Benefits       Yes or No       Closedb\n\n           The CPO has revised the PIA template to include a question\n           pertaining to the opportunities system users have to decline to\n    13     provide information or to consent to particular uses of           April 15, 2006              $0             Yes           Open\n           information and how system users may grant consent. The\n           CPO will revise all existing PIAs to include this question.\n           The CPO will work in conjunction with DOA and the Legal\n           Division to research and document in a report the feasibility,\n           benefits, and costs of requiring that contractors and vendors\n    14                                                                       June 15, 2006               $0             Yes           Open\n           who are not connected to FDIC\xe2\x80\x99s network, but who maintain\n           Privacy Act information on behalf of the FDIC, receive some\n           form of third-party information technology security review.\n           The CPO will enhance the security guidance provided to\n           contractors and vendors that are not connected to FDIC\xe2\x80\x99s\n           network but that maintain Privacy Act information on behalf of\n    15                                                                       September 15, 2006          $0             Yes           Open\n           the FDIC. The enhancements will clarify which parts of the\n           guidance apply to these types of contractors and vendors and\n           will be reflected in FDIC Circular 1360.17.\n\na\n  Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n             (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n             (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered\n                 resolved as long as management provides an amount.\nb\n  Once the OIG determines that agreed-to corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n\n                                                                        54\n\x0c'